Proposal: inherit group

Matt Mackall mpm at selenic.com
Thu Oct 11 15:20:23 CDT 2012


On Thu, 2012-10-11 at 09:42 +0200, Isaac Jurado wrote:
> On Thu, Oct 11, 2012 at 3:57 AM, Matt Mackall <mpm at selenic.com> wrote:
> > Currently, Mercurial inherits file permission bits from .hg/store. This
> > lets newly-created files in a repo on a shared filesystem get
> > group-compatible permissions regardless of the current umask of the
> > user.
> >
> > Unfortunately, the group attached to the file will not automatically be
> > a useful one unless all the directories in .hg/store are also carefully
> > marked g+s so that newly-created files and directories get shared with
> > the appropriate group. This, being a bit outside Unix Permissions 101,
> > is apparently not something most people know how to do.
> >
> > So it might significantly ease things if we tried to automatically copy
> > the group from the .hg/store directory to newly created files and
> > directories in the store.
> 
> What about ACL enabled Unices or the Windows equivalent?

Nothing here prevents or interferes with you using ACLs. Directory ACLs
let you explicitly specify the default ACLs of new files; Mercurial will
never attempt to adjust them or even look at them.

Further, if you're one of the rare people at a level where you can
actually use ACLs correctly, then you don't need Mercurial's help here
anyway. They are, frankly, at least an order of magnitude more complex
than Unix permissions, even including details like the setgid bit. 

But perhaps we should put something on the wiki about them: they do
enable non-admins to share repos without pre-existing groups.

> Although being neutral about this, I think requiring the g+s bit also
> serves as an explicit indicator of a shared repo.  Lifting this
> requirement could be confusing or even a security problem (when using
> careless umasks).

Right now, sharing is a three-step process where the third step is
outside the knowledge realm of typical users and admins:

- chgrp all files to the appropriate group
- grant g+rw permissions on all files and directories (depending on
umask)
- set g+S on all directories

Formerly, there was a fourth step that was also a bit obscure (and
fairly difficult to audit!):

- ensure all users have a umask no stricter than 007

If we drop the g+S step, we'll still have at least one explicit step
needed to share a repo more broadly than the Unix permission model would
already by default (ie granting access to everyone in your default group
based on your umask).


In my mind, the biggest risk with this proposal is that someone today
might have a setup where they don't actually want to inherit the group
from .hg/store. For instance .hg/store is in group X while some subset
beneath it is in group Y (a subset of X) with g+S. One possible reason
would be to manually implement directory-level write access on the repo
at a filesystem level. That's a horrible idea, but it might "work" well
enough that people are using it.

We could amend the proposal to automatically copy the group from the
containing directory... which is less attractive as it means stat()ing a
bunch.

-- 
Mathematics is the supreme nostalgia of our time.




More information about the Mercurial-devel mailing list