Public Repositories in Gitolite with umasks

At ZeroZaku, we use Git and Gitolite to easily push updates from our local computers to the server; however, the problem is that a fresh installation of Gitolite would prevent apache from reading the working tree because of its default permissions.

Apache, Permissions, and umasks

In short, umasks determine the file and directory permissions for newly created files and directories. Because Git checkouts consistently create and destroy files, they constantly change permissions.

Apache, however, must have permissions to read the file in order to serve it to users. Apache likes the 0022 umask, so let’s change the Gitolite configuration for umasks.

The umask Configuration in Gitolite

The default UMASK that gitolite uses makes all the repos and their contents have rwx------ permissions. People who want to run gitweb realise that this will not do.

By default, Gitolite has a umask of 0077 which is equivalent to:

• 600 (rw-------) for files
• 700 (rwx------) for directories

Apache cannot read these permissions (unless apache is coincidentally the gitolite user and web user which I highly do not recommend). Fortunately, the Gitolite developers have foreseen this issue for Gitweb users:

The correct way to deal with this is to change this variable to 0027 (which gets you rwxr-x---), then add the apache or httpd user running the webserver as a member of the ‘gitolite’ group.

Changing the umask Configuration

Please note that all of these commands should be executed within a linux shell (command line)

First, switch to your Gitolite user and open your .gitolite.rc file in your favorite editor of choice.

Next, find $REPO_UMASK = 0077 and replace with $REPO_UMASK = 0022 which is equivalent to:

• 644 (rw-r--r--) for files.
• 755 (rwxr-xr-x) for directories.

Apache can now read the repositories and their working trees. Any project that you are hosting on Gitolite will now be publicly readable by any linux user that is added to the Gitolite group but what if we don’t want all of our projects to be so exposed?

Repository-Specific umasks

Fortunately for us again, Sitaram shows us how to individually configure permissions for each repository. This is especially useful if we have many projects that require different configurations so here’s my interpretation of his instructions:

1. Open .gitolite.rc and set GL_GITCONFIG_KEYS to core.sharedRepository.

2. In your gitolite-admin.git repository, open the configuration found in conf/gitolite.conf.

3. For each repository configuration that you want to make public, add config core.sharedRepository = 0022 under the project name (where user permissions are).

4. Push the gitolite-admin.git repository updates to your server.

5. Fix the permissions manually on the server for the projects that have been changed:

   • find /path/to/repo -type f -exec chmod 664 {} \; for files.
   • find /path/to/repo -type d -exec chmod 775 {} \; for directories.

Individual repositories should now be available to the public for either Gitweb or Apache. If you need any more help, you could always join the Gitolite Google Group or leave a comment below and I'll help any way I can.