In my server I host some git repositories via gitolite, and have a trac for every repository.
I have a user called git to push/pull from server (git clone git@server:repo). and trac is a apache vhost with mod_wsgi. this runs with the www-data user.
So what riddles me (maybe because I have not much of a clue about file-permissions at all) is what's the best permissions setup (chown, chmod) for the git repositories (/home/git/repositories/…).
www-data (or trac) needs to at least read permissions (i think). and git (or gitolite) needs obviously read/write permissions to push changesets.
I tried a little bit around (i.e. adding www-data and/or git to the www-data/git group), but didn't got it right. at least one of the two don't work (git or trac).
any suggestions are highly appreciated.
Best Answer
The most secure way of doing it I would say is to have a group called git-readers
add git and www-data to it, then have the following folder structure:
This will allow www-data into the folder for reading, but only give the git user write access. Any other user can't do anything.
If you want to add additional writers, I would add another group git-writers and add the users and git to it as well as the git-readers group, then use the following structure:
Note the 's' in the group permissions. This makes the writer users use git-writers group as their default group. This will only work properly if the writers are all umask 0002.