2007-07-11 16:18:17 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
#
|
|
|
|
|
# Copyright (c) 2007 Johannes Schindelin
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
test_description='Test shared repository initialization'
|
|
|
|
|
|
|
|
|
|
. ./test-lib.sh
|
|
|
|
|
|
2008-10-17 04:32:14 +02:00
|
|
|
# Remove a default ACL from the test dir if possible.
|
|
|
|
|
setfacl -k . 2>/dev/null
|
|
|
|
|
|
2008-04-16 10:34:24 +02:00
|
|
|
# User must have read permissions to the repo -> failure on --shared=0400
|
|
|
|
|
test_expect_success 'shared = 0400 (faulty permission u-w)' '
|
|
|
|
|
mkdir sub && (
|
|
|
|
|
cd sub && git init --shared=0400
|
|
|
|
|
)
|
|
|
|
|
ret="$?"
|
|
|
|
|
rm -rf sub
|
|
|
|
|
test $ret != "0"
|
|
|
|
|
'
|
|
|
|
|
|
2008-10-20 07:51:17 +02:00
|
|
|
modebits () {
|
|
|
|
|
ls -l "$1" | sed -e 's|^\(..........\).*|\1|'
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-12 03:15:03 +02:00
|
|
|
for u in 002 022
|
|
|
|
|
do
|
2009-03-13 22:55:27 +01:00
|
|
|
test_expect_success POSIXPERM "shared=1 does not clear bits preset by umask $u" '
|
2008-07-12 03:15:03 +02:00
|
|
|
mkdir sub && (
|
|
|
|
|
cd sub &&
|
|
|
|
|
umask $u &&
|
|
|
|
|
git init --shared=1 &&
|
|
|
|
|
test 1 = "$(git config core.sharedrepository)"
|
|
|
|
|
) &&
|
|
|
|
|
actual=$(ls -l sub/.git/HEAD)
|
|
|
|
|
case "$actual" in
|
|
|
|
|
-rw-rw-r--*)
|
|
|
|
|
: happy
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
echo Oops, .git/HEAD is not 0664 but $actual
|
|
|
|
|
false
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
'
|
|
|
|
|
rm -rf sub
|
|
|
|
|
done
|
|
|
|
|
|
2007-07-11 16:18:17 +02:00
|
|
|
test_expect_success 'shared=all' '
|
|
|
|
|
mkdir sub &&
|
|
|
|
|
cd sub &&
|
|
|
|
|
git init --shared=all &&
|
|
|
|
|
test 2 = $(git config core.sharedrepository)
|
|
|
|
|
'
|
|
|
|
|
|
2009-03-13 22:55:27 +01:00
|
|
|
test_expect_success POSIXPERM 'update-server-info honors core.sharedRepository' '
|
2007-07-11 16:18:17 +02:00
|
|
|
: > a1 &&
|
|
|
|
|
git add a1 &&
|
|
|
|
|
test_tick &&
|
|
|
|
|
git commit -m a1 &&
|
|
|
|
|
umask 0277 &&
|
|
|
|
|
git update-server-info &&
|
2007-08-17 00:02:17 +02:00
|
|
|
actual="$(ls -l .git/info/refs)" &&
|
|
|
|
|
case "$actual" in
|
|
|
|
|
-r--r--r--*)
|
|
|
|
|
: happy
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
echo Oops, .git/info/refs is not 0444
|
|
|
|
|
false
|
|
|
|
|
;;
|
|
|
|
|
esac
|
2007-07-11 16:18:17 +02:00
|
|
|
'
|
|
|
|
|
|
2008-04-16 10:34:24 +02:00
|
|
|
for u in 0660:rw-rw---- \
|
|
|
|
|
0640:rw-r----- \
|
|
|
|
|
0600:rw------- \
|
|
|
|
|
0666:rw-rw-rw- \
|
|
|
|
|
0664:rw-rw-r--
|
|
|
|
|
do
|
|
|
|
|
x=$(expr "$u" : ".*:\([rw-]*\)") &&
|
|
|
|
|
y=$(echo "$x" | sed -e "s/w/-/g") &&
|
|
|
|
|
u=$(expr "$u" : "\([0-7]*\)") &&
|
|
|
|
|
git config core.sharedrepository "$u" &&
|
|
|
|
|
umask 0277 &&
|
|
|
|
|
|
2009-03-13 22:55:27 +01:00
|
|
|
test_expect_success POSIXPERM "shared = $u ($y) ro" '
|
2008-04-16 10:34:24 +02:00
|
|
|
|
|
|
|
|
rm -f .git/info/refs &&
|
|
|
|
|
git update-server-info &&
|
2008-10-20 07:51:17 +02:00
|
|
|
actual="$(modebits .git/info/refs)" &&
|
2008-04-16 10:34:24 +02:00
|
|
|
test "x$actual" = "x-$y" || {
|
|
|
|
|
ls -lt .git/info
|
|
|
|
|
false
|
|
|
|
|
}
|
|
|
|
|
'
|
|
|
|
|
|
|
|
|
|
umask 077 &&
|
2009-03-13 22:55:27 +01:00
|
|
|
test_expect_success POSIXPERM "shared = $u ($x) rw" '
|
2008-04-16 10:34:24 +02:00
|
|
|
|
|
|
|
|
rm -f .git/info/refs &&
|
|
|
|
|
git update-server-info &&
|
2008-10-20 07:51:17 +02:00
|
|
|
actual="$(modebits .git/info/refs)" &&
|
2008-04-16 10:34:24 +02:00
|
|
|
test "x$actual" = "x-$x" || {
|
|
|
|
|
ls -lt .git/info
|
|
|
|
|
false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
'
|
|
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
2009-03-13 22:55:27 +01:00
|
|
|
test_expect_success POSIXPERM 'git reflog expire honors core.sharedRepository' '
|
2008-06-15 23:37:42 +02:00
|
|
|
git config core.sharedRepository group &&
|
|
|
|
|
git reflog expire --all &&
|
|
|
|
|
actual="$(ls -l .git/logs/refs/heads/master)" &&
|
|
|
|
|
case "$actual" in
|
|
|
|
|
-rw-rw-*)
|
|
|
|
|
: happy
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
echo Ooops, .git/logs/refs/heads/master is not 0662 [$actual]
|
|
|
|
|
false
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
'
|
|
|
|
|
|
2009-04-13 02:55:18 +02:00
|
|
|
test_expect_success POSIXPERM 'forced modes' '
|
2009-03-26 00:19:36 +01:00
|
|
|
mkdir -p templates/hooks &&
|
|
|
|
|
echo update-server-info >templates/hooks/post-update &&
|
|
|
|
|
chmod +x templates/hooks/post-update &&
|
|
|
|
|
echo : >random-file &&
|
|
|
|
|
mkdir new &&
|
|
|
|
|
(
|
|
|
|
|
cd new &&
|
|
|
|
|
umask 002 &&
|
|
|
|
|
git init --shared=0660 --template=../templates &&
|
|
|
|
|
>frotz &&
|
|
|
|
|
git add frotz &&
|
|
|
|
|
git commit -a -m initial &&
|
|
|
|
|
git repack
|
|
|
|
|
) &&
|
t1301-shared-repo: fix forced modes test
This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.
Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0660. Because the 0mode setting
tries to guarantee that the files are accessible only to the people they
are meant to be used by, we should only make sure that they are readable
by the user and the group when the configuration is set to 0660. It is a
separate matter from the core.shredrepository settings that w-bit from
immutable object files under objects/[0-9a-f][0-9a-f] directories should
be dropped.
COMMIT_EDITMSG is still world-readable, but it (and any transient files
that are meant for repositories with a work tree) does not matter. If you
are working on a shared machine and on a sekrit stuff, the root of the
work tree would be with mode 0700 (or 0750 to allow peeking by other
people in the group), and that would mean that .git/COMMIT_EDITMSG in such
a repository would not be readable by the strangers anyway.
Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an
arbitrary editor the user happens to use, and we have no guarantee what it
does (e.g. it may create a new file with umask and replace, it may rewrite
in place, it may leave an editor backup file but use umask to create it,
etc.), and the protection of the file lies majorly on the protection of
the root of the work tree.
This test cannot be run on Windows; it requires POSIXPERM when merged to
'master'.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-04-12 21:22:02 +02:00
|
|
|
# List repository files meant to be protected; note that
|
|
|
|
|
# COMMIT_EDITMSG does not matter---0mode is not about a
|
|
|
|
|
# repository with a work tree.
|
|
|
|
|
find new/.git -type f -name COMMIT_EDITMSG -prune -o -print |
|
2009-03-26 00:19:36 +01:00
|
|
|
xargs ls -ld >actual &&
|
|
|
|
|
|
|
|
|
|
# Everything must be unaccessible to others
|
t1301-shared-repo: fix forced modes test
This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.
Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0660. Because the 0mode setting
tries to guarantee that the files are accessible only to the people they
are meant to be used by, we should only make sure that they are readable
by the user and the group when the configuration is set to 0660. It is a
separate matter from the core.shredrepository settings that w-bit from
immutable object files under objects/[0-9a-f][0-9a-f] directories should
be dropped.
COMMIT_EDITMSG is still world-readable, but it (and any transient files
that are meant for repositories with a work tree) does not matter. If you
are working on a shared machine and on a sekrit stuff, the root of the
work tree would be with mode 0700 (or 0750 to allow peeking by other
people in the group), and that would mean that .git/COMMIT_EDITMSG in such
a repository would not be readable by the strangers anyway.
Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an
arbitrary editor the user happens to use, and we have no guarantee what it
does (e.g. it may create a new file with umask and replace, it may rewrite
in place, it may leave an editor backup file but use umask to create it,
etc.), and the protection of the file lies majorly on the protection of
the root of the work tree.
This test cannot be run on Windows; it requires POSIXPERM when merged to
'master'.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-04-12 21:22:02 +02:00
|
|
|
test -z "$(sed -e "/^.......---/d" actual)" &&
|
2009-03-26 00:19:36 +01:00
|
|
|
|
2009-03-31 22:36:00 +02:00
|
|
|
# All directories must have either 2770 or 770
|
|
|
|
|
test -z "$(sed -n -e "/^drwxrw[sx]---/d" -e "/^d/p" actual)" &&
|
2009-03-26 00:19:36 +01:00
|
|
|
|
|
|
|
|
# post-update hook must be 0770
|
|
|
|
|
test -z "$(sed -n -e "/post-update/{
|
|
|
|
|
/^-rwxrwx---/d
|
|
|
|
|
p
|
|
|
|
|
}" actual)" &&
|
|
|
|
|
|
t1301-shared-repo: fix forced modes test
This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.
Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0660. Because the 0mode setting
tries to guarantee that the files are accessible only to the people they
are meant to be used by, we should only make sure that they are readable
by the user and the group when the configuration is set to 0660. It is a
separate matter from the core.shredrepository settings that w-bit from
immutable object files under objects/[0-9a-f][0-9a-f] directories should
be dropped.
COMMIT_EDITMSG is still world-readable, but it (and any transient files
that are meant for repositories with a work tree) does not matter. If you
are working on a shared machine and on a sekrit stuff, the root of the
work tree would be with mode 0700 (or 0750 to allow peeking by other
people in the group), and that would mean that .git/COMMIT_EDITMSG in such
a repository would not be readable by the strangers anyway.
Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an
arbitrary editor the user happens to use, and we have no guarantee what it
does (e.g. it may create a new file with umask and replace, it may rewrite
in place, it may leave an editor backup file but use umask to create it,
etc.), and the protection of the file lies majorly on the protection of
the root of the work tree.
This test cannot be run on Windows; it requires POSIXPERM when merged to
'master'.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-04-12 21:22:02 +02:00
|
|
|
# All files inside objects must be accessible by us
|
2009-03-26 00:19:36 +01:00
|
|
|
test -z "$(sed -n -e "/objects\//{
|
|
|
|
|
/^d/d
|
t1301-shared-repo: fix forced modes test
This test was added recently (5a688fe, "core.sharedrepository = 0mode"
should set, not loosen; 2009-03-28). It checked the result of a sed
invocation for emptyness, but in some cases it forgot to print anything
at all, so that those checks would never be false.
Due to this mistake, it went unnoticed that the files in objects/info are
not necessarily 0440, but can also be 0660. Because the 0mode setting
tries to guarantee that the files are accessible only to the people they
are meant to be used by, we should only make sure that they are readable
by the user and the group when the configuration is set to 0660. It is a
separate matter from the core.shredrepository settings that w-bit from
immutable object files under objects/[0-9a-f][0-9a-f] directories should
be dropped.
COMMIT_EDITMSG is still world-readable, but it (and any transient files
that are meant for repositories with a work tree) does not matter. If you
are working on a shared machine and on a sekrit stuff, the root of the
work tree would be with mode 0700 (or 0750 to allow peeking by other
people in the group), and that would mean that .git/COMMIT_EDITMSG in such
a repository would not be readable by the strangers anyway.
Also, in the real-world use case, .git/COMMIT_EDITMSG will be given to an
arbitrary editor the user happens to use, and we have no guarantee what it
does (e.g. it may create a new file with umask and replace, it may rewrite
in place, it may leave an editor backup file but use umask to create it,
etc.), and the protection of the file lies majorly on the protection of
the root of the work tree.
This test cannot be run on Windows; it requires POSIXPERM when merged to
'master'.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2009-04-12 21:22:02 +02:00
|
|
|
/^-r.-r.----/d
|
|
|
|
|
p
|
2009-03-26 00:19:36 +01:00
|
|
|
}" actual)"
|
|
|
|
|
'
|
|
|
|
|
|
2007-07-11 16:18:17 +02:00
|
|
|
test_done
|