Search code examples
bashgitubuntuansiblesystem-administration

Stop .git/index from changing its permissions

How can I prevent .git/index from constantly changing its permissions and ownership?

I run ls -al .git/index and see that the file is owned by root. I change the permissions with sudo chown -R $USER:USER and sudo chmod -R 775 .git I even tried deleting the lock file with rm -rf .git/index.lock

The permissions update but then a few minutes later they change back to being owned by root and 740 which breaks the git commands I'm attempting.

I set the global git config via Ansible so I'm wondering if that messed something up? Is there a global file I need to modify?

Solution

  • When Git writes the index, the way it does so is to create a new file called .git/index.lock (with O_EXCL), adjusts its permissions according to core.sharedRepository, and then rename it over top. Git does not offer a way to rewrite the file in place.

    If this file is being created such that it's being owned by root, then root is creating the file because it's updating the index. That probably means that some process owned by root is modifying the working tree.

    If that wasn't your intention, then the best thing to do is find that process and stop it from modifying the working tree. It's not a good idea for multiple users to modify the same working tree, and if your process owned by root is reading files out of the working tree and it's shared with another user, that could lead to a security vulnerability.

    If you're certain what you're doing is safe and you want to modify the permissions with which files in the .git directory are created, you can use core.sharedRepository to set them. For example, you could use the value 0664. Note that Git will handle the executable bit automatically, and the index should not be marked executable.

    If you want to always use the same group for your repository, you can set the setgid bit on all the directories in the repository and then set their group to the appropriate value. Assuming you also set core.sharedRepository to a value that makes things group writable, you can then modify the repository with any user in that group, and things should work. Note that this may still have security implications if one or more of those users are untrusted or have lower privileges, so you should be careful.