Mercurial (hg) not respecting default ACL settings

aclmercurial

I'm trying to set fine grained access control to various mercurial repositories using ACL. When I push changes to repository any new files created under /myrepo/.hg/store/data do not have default permissions and users can't access them.

The issue is reproducible. Assume the user "myuser" is part of www-data group. On the server:

hg init /tmp/test
chown root:root /tmp/test
chmod 770 /tmp/test
setfacl -Rdm g:www-data:rwx /tmp/test
setfacl -Rm g:www-data:rwx /tmp/test

On a windows box with TortoiseHg, set to use plink.exe for ssh with shared key:

hg clone ssh://myuser@servername//tmp/test test
#add file test1.txt and commit to test
hg push ssh://myuser@server//tmp/test
cd ..
hg clone ssh://myuser@servername//tmp/test test2  <---FAIL

Back on the server checking ACL

getfacl /tmp/test/.hg/store/data/test1.txt.i
# file: tmp/test/.hg/store/data/test1.txt.i
# owner: myuser
# group: myuser
user::rw-
group::rw-
other::r--

So the new file was not created with default permissions I added to parent folder /tmp/test. This problem also happens when you do hg pull on the server and hg serve on the client.

My /etc/fstab is mounting the partition with "default,acl" options. Also touch /tmp/test/test1 creates file with appropriate default permissions as expected

Edit

  • Mercurial version: 2.0.2-1ubuntu1
  • Linux Ubuntu 12.04

Best Answer

Here's what's probably happening:

  • You're creating a /tmp/test/.hg directory via 'hg init' presumably without group permissions due to a restrictive umask
  • You're recursively setting ACLs, but not recursively setting traditional permission bits to match
  • Mercurial copies the traditional permission bits on /tmp/test/.hg/ when creating new files under .hg
  • Thus, newly added files have no group permissions
  • By definition, this masks out any default ACL entries you've set

Fix: set proper traditional Unix permissions on your repository.

Related Question