Public Repositories in Gitolite with umasks

At ZeroZaku, we use Git and Gitolite to easily push updates from our local computers to the server; however, the problem is that a fresh installation of Gitolite would prevent apache from reading the working tree because of its default permissions.

Apache, Permissions, and umasks

In short, umasks determine the file and directory permissions for newly created files and directories. Because Git checkouts consistently create and destroy files, they constantly change permissions.

Apache, however, must have permissions to read the file in order to serve it to users. Apache likes the 0022 umask, so let’s change the Gitolite configuration for umasks.

The umask Configuration in Gitolite

The default UMASK that gitolite uses makes all the repos and their contents have rwx------ permissions. People who want to run gitweb realise that this will not do.

By default, Gitolite has a umask of 0077 which is equivalent to:

  • 600 (rw-------) for files
  • 700 (rwx------) for directories

Apache cannot read these permissions (unless apache is coincidentally the gitolite user and web user which I highly do not recommend). Fortunately, the Gitolite developers have foreseen this issue for Gitweb users:

The correct way to deal with this is to change this variable to 0027 (which gets you rwxr-x---), then add the apache or httpd user running the webserver as a member of the ‘gitolite’ group.

Changing the umask Configuration

Please note that all of these commands should be executed within a linux shell (command line)

First, switch to your Gitolite user and open your .gitolite.rc file in your favorite editor of choice.

Next, find $REPO_UMASK = 0077 and replace with $REPO_UMASK = 0022 which is equivalent to:

  • 644 (rw-r--r--) for files.
  • 755 (rwxr-xr-x) for directories.

Apache can now read the repositories and their working trees. Any project that you are hosting on Gitolite will now be publicly readable by any linux user that is added to the Gitolite group but what if we don’t want all of our projects to be so exposed?

Repository-Specific umasks

Fortunately for us again, Sitaram shows us how to individually configure permissions for each repository. This is especially useful if we have many projects that require different configurations so here’s my interpretation of his instructions:

  1. Open .gitolite.rc and set GL_GITCONFIG_KEYS to core.sharedRepository.

  2. In your gitolite-admin.git repository, open the configuration found in conf/gitolite.conf.

  3. For each repository configuration that you want to make public, add config core.sharedRepository = 0022 under the project name (where user permissions are).

  4. Push the gitolite-admin.git repository updates to your server.

  5. Fix the permissions manually on the server for the projects that have been changed:

    • find /path/to/repo -type f -exec chmod 664 {} \; for files.
    • find /path/to/repo -type d -exec chmod 775 {} \; for directories.

Individual repositories should now be available to the public for either Gitweb or Apache. If you need any more help, you could always join the Gitolite Google Group or leave a comment below and I'll help any way I can.

This entry was posted in Ingenuity and tagged , , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.
  • Javier

    config core.sharedRepository = 0022 will produce an error :
    fatal: Problem with core.sharedRepository filemode value (0022).
    The owner of files must always have read and write permissions.

    For core.sharedRepository , is whoudl be 0644 instead.

  • Pingback: 使用Gitolite搭建Git服务器 | 朔月星辰

  • About Gio

    I am a torrent of ingenuity (or insanity) with a myriad of innovations (sometimes fallacies) and a wealth of inspiration (possibly naiveté). My name is Gio Carlo Cielo Borje and I like puffer fish because they're just cooltalkin', highwalkin' and fastlivin'.

    I'm also twenty and a current student at UC Irvine for Computer Science.