commit 28ad1c18bb74647f37660ec576b5d8e7e6386955
from: Stefan Sperling <stsp@stsp.name>
date: Sat Sep 06 13:54:23 2025 UTC

make gotsysd-managed repositories readable for the _gotd group

This allows making the repositories readable by other user accounts,
such as _gotwebd, by adding those users to the _gotd group.

commit - 8195cfa1795a5f4163bdaec158df17eb06b16ed0
commit + 28ad1c18bb74647f37660ec576b5d8e7e6386955
blob - 59b5a043614e9af1be1d6819c54c7780c2bbd554
blob + 276d7af33c86b42cee831d6de1400671bc2d6290
--- gotsysd/libexec/gotsys-repo-create/gotsys-repo-create.c
+++ gotsysd/libexec/gotsys-repo-create/gotsys-repo-create.c
@@ -81,9 +81,12 @@ sighdlr(int sig, short event, void *arg)
 	}
 }
 
-/* Ensure that repositories are only accessible to the gotd user. */
+/*
+ * Ensure that repositories are only writeable by the gotd user and
+ * readable by the gotd group.
+ */
 static const struct got_error *
-chmod_700_repo(const char *repo_name)
+chmod_750_repo(const char *repo_name)
 {
 	struct stat sb;
 
@@ -92,10 +95,11 @@ chmod_700_repo(const char *repo_name)
 		    repos_path, repo_name);
 	}
 
-	if (!S_ISDIR(sb.st_mode) || sb.st_uid != gotd_uid)
+	if (!S_ISDIR(sb.st_mode) || sb.st_uid != gotd_uid ||
+	    sb.st_gid != gotd_gid)
 		return NULL;
 
-	if (fchmodat(repos_dir_fd, repo_name, S_IRWXU,
+	if (fchmodat(repos_dir_fd, repo_name, S_IRWXU | S_IRGRP | S_IXGRP,
 	    AT_SYMLINK_NOFOLLOW) == -1) {
 		return got_error_from_errno_fmt("chmod %o %s/%s",
 		    S_IRWXU, repos_path, repo_name);
@@ -267,9 +271,10 @@ create_repo(struct imsg *imsg)
 		goto done;
 	}
 
-	if (mkdirat(repos_dir_fd, fullname, S_IRWXU) == -1) {
+	if (mkdirat(repos_dir_fd, fullname,
+	    S_IRWXU | S_IRGRP | S_IXGRP) == -1) {
 		if (errno == EEXIST) {
-			err = chmod_700_repo(fullname);
+			err = chmod_750_repo(fullname);
 			if (err)
 				goto done;
 			if (headref) {
blob - b6994f1bdd6552342b6c2ebc323c4cb5cc1762b7
blob + 1cd41413224f10c3733c7889db4c13367beed25b
--- regress/gotsysd/test_gotsysd.sh
+++ regress/gotsysd/test_gotsysd.sh
@@ -954,9 +954,9 @@ EOF
 		return 1
 	fi
 
-	# The repositories should have 700 permissions and be owned by _gotd.
+	# The repositories should have 750 permissions and be owned by _gotd.
 	ssh -q -i ${GOTSYSD_SSH_KEY} root@${VMIP} ls -l /git | \
-		grep -v ^total | awk '{print $1" "$3}' > $testroot/stdout
+		grep -v ^total | awk '{print $1" "$3" "$4}' > $testroot/stdout
 	ret=$?
 	if [ $ret -ne 0 ]; then
 		echo "ls /git failed unexpectedly" >&2
@@ -965,8 +965,8 @@ EOF
 	fi
 
 	cat > $testroot/stdout.expected <<EOF
-drwx------ _gotd
-drwx------ _gotd
+drwxr-x--- _gotd _gotd
+drwxr-x--- _gotd _gotd
 EOF
 	cmp -s $testroot/stdout.expected $testroot/stdout
 	ret=$?