I have a git environment where there are two basic groupings of 
individuals, Engineering and Operations.  For this example, we will assume 
that Engineering has rwX extended file permissions to everything.  

In doing testing with the Operations team to allow them to edit and push 
certain file structures in git to dev/live, we provided rwX extended file 
permissions to the Operations accounts recursively through the objects and 
refs directories, under dev and live.  We also provided rwX extended file 
permissions recursively to the directories which need to be altered and 
pushed through the environments, let's call that /example/files/.  

Here is the relevant portion of /example/files/.git/config:

> [remote "live"]
>         *url* = /etc/files/environments/production
>         *fetch* = +refs/heads/*:refs/remotes/live/*
> [remote "dev"]
>         *url* = /etc/files/environments/development
>         *fetch* = +refs/heads/*:refs/remotes/dev/*

What I found was that when their $PWD was /examples/files/, a user from the 
Operations team was able to run the following commands for a file which was 
being added (not modified) to git

> git add file.sh

git commit -m "Promoting file.sh to production"

with no visible error messages.  However, when they attempted

> git push live 

to promote to production, they were given an error message that said:

> remote: fatal: Unable to create 
> '/etc/files/environments/production/./index.lock': Permission denied

Now, under /etc/files/environments/production/objects, there are references 
to the files which the user attempted to push (confirmed with 'git cat-file 
-p <hash>'), and are owned by that user.  Even after a second push by 
another user, these files continue to exist.  

Additionally, I noticed that the git logs (confirmed with 'git log -p') 
added the Operations team member's push as it would a successful push.  

We are currently running git version  

Here are my questions:
1.  Should the object files owned by the Operations user continue to exist 
in the /etc/files/environments/production/objects/ directory, even after a 
successful push was executed (with modifications of the same files that the 
Operations user added to git in the first place) by another user?
2.  How should the file permissions of /etc/files/environments/production/ 
and /etc/files/environments/development/ be configured to allow creation of 
the index.lock?  We want to make sure that the Operations users have proper 
access control; I have considered turning the sticky bit on for this 
directory, but I am unaware of any additional downstream impact that this 
may impose.  



You received this message because you are subscribed to the Google Groups "Git 
for human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to git-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to