Gotweb

Commit Diff

Commit:: 94f3c56922948adc179cb260c0fd16a34d891d1b
From:: Stefan Sperling <stsp@stsp.name>
Via:: Thomas Adam <thomas.adam22@gmail.com>
Date:: Sat Sep 6 16:29:36 2025 UTC
Message:: make gotsysd-managed repositories readable for the _gotd group This allows making the repositories readable by other user accounts, such as _gotwebd, by adding those users to the _gotd group.
Actions:: Patch | Tree

commit - d1b3f74abcc2eecdb61bc1a5a5672a74816d1938
commit + 94f3c56922948adc179cb260c0fd16a34d891d1b
blob - 53369cd4babd72efbb0b8cb77383521f46535df8
blob + 4cdb71fc911d9d167d5b6ded2170c809f18c3100
--- gotsysd/libexec/gotsys-repo-create/gotsys-repo-create.c
+++ gotsysd/libexec/gotsys-repo-create/gotsys-repo-create.c
@@ -72,9 +72,12 @@ sighdlr(int sig, short event, void *arg)
 	}
 }
 
-/* Ensure that repositories are only accessible to the gotd user. */
+/*
+ * Ensure that repositories are only writeable by the gotd user and
+ * readable by the gotd group.
+ */
 static const struct got_error *
-chmod_700_repo(const char *repo_name)
+chmod_750_repo(const char *repo_name)
 {
 	struct stat sb;
 
@@ -83,10 +86,11 @@ chmod_700_repo(const char *repo_name)
 		    repos_path, repo_name);
 	}
 
-	if (!S_ISDIR(sb.st_mode) || sb.st_uid != gotd_uid)
+	if (!S_ISDIR(sb.st_mode) || sb.st_uid != gotd_uid ||
+	    sb.st_gid != gotd_gid)
 		return NULL;
 
-	if (fchmodat(repos_dir_fd, repo_name, S_IRWXU,
+	if (fchmodat(repos_dir_fd, repo_name, S_IRWXU | S_IRGRP | S_IXGRP,
 	    AT_SYMLINK_NOFOLLOW) == -1) {
 		return got_error_from_errno_fmt("chmod %o %s/%s",
 		    S_IRWXU, repos_path, repo_name);
@@ -230,10 +234,17 @@ create_repo(struct imsg *imsg)
 		goto done;
 	}
 
-	if (mkdirat(repos_dir_fd, fullname, S_IRWXU) == -1) {
-		if (errno == EEXIST)
-			err = chmod_700_repo(fullname);
-		else
+	if (mkdirat(repos_dir_fd, fullname,
+	    S_IRWXU | S_IRGRP | S_IXGRP) == -1) {
+		if (errno == EEXIST) {
+			err = chmod_750_repo(fullname);
+			if (err)
+				goto done;
+			if (headref) {
+				err = set_head_ref(repos_dir_fd, fullname,
+				    headref);
+			}
+		} else
 			err = got_error_from_errno2("mkdir", abspath);
 	} else
 		err = got_repo_init(abspath, NULL, GOT_HASH_SHA1);
blob - dece9a715ab4b1fb2ed8745339a3cf7f77e76655
blob + b74f3bf6df042ee26d43ff7ca355fc49ce024ebf
--- regress/gotsysd/test_gotsysd.sh
+++ regress/gotsysd/test_gotsysd.sh
@@ -954,9 +954,9 @@ EOF
 		return 1
 	fi
 
-	# The repositories should have 700 permissions and be owned by _gotd.
+	# The repositories should have 750 permissions and be owned by _gotd.
 	ssh -q -i ${GOTSYSD_SSH_KEY} root@${VMIP} ls -l /git | \
-		grep -v ^total | awk '{print $1" "$3}' > $testroot/stdout
+		grep -v ^total | awk '{print $1" "$3" "$4}' > $testroot/stdout
 	ret=$?
 	if [ $ret -ne 0 ]; then
 		echo "ls /git failed unexpectedly" >&2
@@ -965,8 +965,8 @@ EOF
 	fi
 
 	cat > $testroot/stdout.expected <<EOF
-drwx------ _gotd
-drwx------ _gotd
+drwxr-x--- _gotd _gotd
+drwxr-x--- _gotd _gotd
 EOF
 	cmp -s $testroot/stdout.expected $testroot/stdout
 	ret=$?