correct file permissions for trac and git user to access gitolite server repos

Question

In my server I host some git repositories via gitolite, and have a trac for every repository.

I have a user called git to push/pull from server (git clone git@server:repo). and trac is a apache vhost with mod_wsgi. this runs with the www-data user.

So what riddles me (maybe because I have not much of a clue about file-permissions at all) is what's the best permissions setup (chown, chmod) for the git repositories (/home/git/repositories/...).

www-data (or trac) needs to at least read permissions (i think). and git (or gitolite) needs obviously read/write permissions to push changesets.

I tried a little bit around (i.e. adding www-data and/or git to the www-data/git group), but didn't got it right. at least one of the two don't work (git or trac).

any suggestions are highly appreciated.

Answer 1

The most secure way of doing it I would say is to have a group called git-readers

add git and www-data to it, then have the following folder structure:

/home/git - git:git-readers u=rwx,g=rx,o=
/home/git/repositories - git:git u=rwx,g=rwx,o=rx

This will allow www-data into the folder for reading, but only give the git user write access. Any other user can't do anything.

If you want to add additional writers, I would add another group git-writers and add the users and git to it as well as the git-readers group, then use the following structure:

/home/git - git:git-readers u=rwx,g=rx,o=
/home/git/repositories - git:git-writers u=rwx,g=rwxs,o=rx

Note the 's' in the group permissions. This makes the writer users use git-writers group as their default group. This will only work properly if the writers are all umask 0002.

Answer 2

in case of gitolite push commits to git (gitolite) repository messes up file permissions (no more trac access)