git - 当用户推送到 GIT 存储库时，文件所有权/组发生更改

Question

一年多来，我一直在 GIT 和目录/文件权限方面遇到麻烦。我有一个中央存储库，多个开发人员使用 ssh(源设置为 ssh://example/git/repository)将代码推送到该存储库。我已按如下方式设置存储库:

1) 我在中央仓库的配置文件: [核] 存储库格式版本 = 0 文件模式 = 真 裸 = 真 共享存储库 = 0660

2) 所有版本库目录权限设置为770 (rwxrwx---)3)./objects/XX和./objects/info中的所有文件都设置为440(r--r-----)4)所有其他文件都设置为660(rw-rw----)5) 所有权设置为 root:group_name

(请注意，这来自该线程顶部响应中的推荐设置:Making git push respect permissions?)

所有访问用户都是“group_name”组的成员。

问题是，如果 user1 推送到存储库，某些文件的文件所有权将设置为 user1:user1 - 这意味着组已更改。一旦发生这种情况，其他用户将无法从存储库中推送(或 pull )数据，因为他们不再具有读取、写入或执行存储库中所需文件的权限。

我已经阅读了在 Stack Overflow 上以及网络上几乎所有其他地方可以找到的关于此事的所有帖子，但我一直遇到同样的问题。

问题是，我不确定这个问题是 GIT 问题还是 UNIX 问题之一，我也不确定如何解决它。当用户推送到存储库时，如何阻止组被更改？

Answer 1

看起来你在初始化存储库后更改为 git config core.sharedRepository 0660 而不是使用 git init --shared=0660 应该正确设置权限.这意味着 sgid 位不会正确地设置在 git 存储库的目录中。你将不得不用类似的东西手动修复这个问题(假设 GNU find 和 xargs):

find . -print0 | xargs -0 chgrp group_name

find . -type d -print0 | xargs -0 chmod g+s

git init --help 的摘录，供那些对 group vs. true vs. 0660 感到困惑的人:

   --shared[=(false|true|umask|group|all|world|everybody|0xxx)]
       Specify that the Git repository is to be shared amongst several users.
       This allows users belonging to the same group to push into that
       repository. When specified, the config variable
       "core.sharedRepository" is set so that files and directories under
       $GIT_DIR are created with the requested permissions. When not
       specified, Git will use permissions reported by umask(2).

       The option can have the following values, defaulting to group if no
       value is given:

       umask (or false)
           Use permissions reported by umask(2). The default, when --shared
           is not specified.

       group (or true)
           Make the repository group-writable, (and g+sx, since the git group
           may be not the primary group of all users). This is used to loosen
           the permissions of an otherwise safe umask(2) value. Note that the
           umask still applies to the other permission bits (e.g. if umask is
           0022, using group will not remove read privileges from other
           (non-group) users). See 0xxx for how to exactly specify the
           repository permissions.

       all (or world or everybody)
           Same as group, but make the repository readable by all users.

       0xxx
           0xxx is an octal number and each file will have mode 0xxx.  0xxx
           will override users' umask(2) value (and not only loosen
           permissions as group and all does).  0640 will create a repository
           which is group-readable, but not group-writable or accessible to
           others.  0660 will create a repo that is readable and writable to
           the current user and group, but inaccessible to others.