*: correct and codify various file permissions

The following files now have 0444 permissions:

- loose objects
- pack indexes
- pack files
- packs downloaded by fetch
- packs downloaded by the HTTP transport

And the following files now have 0666 permissions:

- config files
- repository indexes
- reflogs
- refs

This brings libgit2 more in line with Git.

Note that git_filebuf_commit() and git_filebuf_commit_at() have both
gained a new mode parameter.

The latter change fixes an important issue where filebufs created with
GIT_FILEBUF_TEMPORARY received 0600 permissions (due to mkstemp(3)
usage). Now we chmod() the file before renaming it into place.

Tests have been added to confirm that new commit, tag, and tree
objects are created with the right permissions. I don't have access to
Windows, so for now I've guarded the tests with "#ifndef GIT_WIN32".

src/config.h

@@ -14,6 +14,7 @@
 
 #define GIT_CONFIG_FILENAME ".gitconfig"
 #define GIT_CONFIG_FILENAME_INREPO "config"
+#define GIT_CONFIG_FILE_MODE 0666
 
 struct git_config {
 	git_vector files;

src/config_file.c

@@ -1034,7 +1034,7 @@ static int config_write(diskfile_backend *cfg, cvar_t *var)
 	if (error < GIT_SUCCESS)
 		git_filebuf_cleanup(&file);
 	else
-		error = git_filebuf_commit(&file);
+		error = git_filebuf_commit(&file, GIT_CONFIG_FILE_MODE);
 
 	git_futils_freebuffer(&cfg->reader.buffer);
 	return error;

src/fetch.c

@@ -14,6 +14,7 @@
 #include "transport.h"
 #include "remote.h"
 #include "refspec.h"
+#include "pack.h"
 #include "fetch.h"
 #include "netops.h"
 
@@ -181,7 +182,7 @@ int git_fetch__download_pack(char **out, const char *buffered, size_t buffered_s
 	}
 
 	/* A bit dodgy, but we need to keep the pack at the temporary path */
-	error = git_filebuf_commit_at(&file, file.path_lock);
+	error = git_filebuf_commit_at(&file, file.path_lock, GIT_PACK_FILE_MODE);
 cleanup:
 	if (error < GIT_SUCCESS)
 		git_filebuf_cleanup(&file);

src/filebuf.c

@@ -10,6 +10,8 @@
 #include "filebuf.h"
 #include "fileops.h"
 
+#define GIT_LOCK_FILE_MODE 0644
+
 static const size_t WRITE_BUFFER_SIZE = (4096 * 2);
 
 static int lock_file(git_filebuf *file, int flags)
@@ -24,9 +26,9 @@ static int lock_file(git_filebuf *file, int flags)
 	/* create path to the file buffer is required */
 	if (flags & GIT_FILEBUF_FORCE) {
 		/* XXX: Should dirmode here be configurable? Or is 0777 always fine? */
-		file->fd = git_futils_creat_locked_withpath(file->path_lock, 0777, 0644);
+		file->fd = git_futils_creat_locked_withpath(file->path_lock, 0777, GIT_LOCK_FILE_MODE);
 	} else {
-		file->fd = git_futils_creat_locked(file->path_lock, 0644);
+		file->fd = git_futils_creat_locked(file->path_lock, GIT_LOCK_FILE_MODE);
 	}
 
 	if (file->fd < 0)
@@ -247,17 +249,17 @@ int git_filebuf_hash(git_oid *oid, git_filebuf *file)
 	return GIT_SUCCESS;
 }
 
-int git_filebuf_commit_at(git_filebuf *file, const char *path)
+int git_filebuf_commit_at(git_filebuf *file, const char *path, mode_t mode)
 {
 	free(file->path_original);
 	file->path_original = git__strdup(path);
 	if (file->path_original == NULL)
 		return GIT_ENOMEM;
 
-	return git_filebuf_commit(file);
+	return git_filebuf_commit(file, mode);
 }
 
-int git_filebuf_commit(git_filebuf *file)
+int git_filebuf_commit(git_filebuf *file, mode_t mode)
 {
 	int error;
 
@@ -271,6 +273,11 @@ int git_filebuf_commit(git_filebuf *file)
 	p_close(file->fd);
 	file->fd = -1;
 
+	if (p_chmod(file->path_lock, mode)) {
+		error = git__throw(GIT_EOSERR, "Failed to chmod locked file before committing");
+		goto cleanup;
+	}
+
 	error = git_futils_mv_atomic(file->path_lock, file->path_original);
 
 cleanup:

src/filebuf.h

@@ -49,8 +49,8 @@ int git_filebuf_reserve(git_filebuf *file, void **buff, size_t len);
 int git_filebuf_printf(git_filebuf *file, const char *format, ...) GIT_FORMAT_PRINTF(2, 3);
 
 int git_filebuf_open(git_filebuf *lock, const char *path, int flags);
-int git_filebuf_commit(git_filebuf *lock);
-int git_filebuf_commit_at(git_filebuf *lock, const char *path);
+int git_filebuf_commit(git_filebuf *lock, mode_t mode);
+int git_filebuf_commit_at(git_filebuf *lock, const char *path, mode_t mode);
 void git_filebuf_cleanup(git_filebuf *lock);
 int git_filebuf_hash(git_oid *oid, git_filebuf *file);
 

src/index.c

@@ -262,7 +262,7 @@ int git_index_write(git_index *index)
 		return git__rethrow(error, "Failed to write index");
 	}
 
-	if ((error = git_filebuf_commit(&file)) < GIT_SUCCESS)
+	if ((error = git_filebuf_commit(&file, GIT_INDEX_FILE_MODE)) < GIT_SUCCESS)
 		return git__rethrow(error, "Failed to write index");
 
 	if (p_stat(index->index_file_path, &indexst) == 0) {

src/index.h

@@ -14,6 +14,9 @@
 #include "git2/odb.h"
 #include "git2/index.h"
 
+#define GIT_INDEX_FILE "index"
+#define GIT_INDEX_FILE_MODE 0666
+
 struct git_index {
 	git_repository *repository;
 	char *index_file_path;

src/indexer.c

@@ -272,7 +272,7 @@ int git_indexer_write(git_indexer *idx)
 	/* Figure out what the final name should be */
 	index_path(filename, idx);
 	/* Commit file */
-	error = git_filebuf_commit_at(&idx->file, filename);
+	error = git_filebuf_commit_at(&idx->file, filename, GIT_PACK_FILE_MODE);
 
 cleanup:
 	git_mwindow_free_all(&idx->pack->mwf);

src/odb.h

@@ -16,6 +16,7 @@
 
 #define GIT_OBJECTS_DIR "objects/"
 #define GIT_OBJECT_DIR_MODE 0777
+#define GIT_OBJECT_FILE_MODE 0444
 
 /* DO NOT EXPORT */
 typedef struct {

src/odb_loose.c

@@ -670,7 +670,7 @@ static int loose_backend__stream_fwrite(git_oid *oid, git_odb_stream *_stream)
 		return git__rethrow(error, "Failed to write loose backend");
 
 	stream->finished = 1;
-	return git_filebuf_commit_at(&stream->fbuf, final_path);
+	return git_filebuf_commit_at(&stream->fbuf, final_path, GIT_OBJECT_FILE_MODE);
 }
 
 static int loose_backend__stream_write(git_odb_stream *_stream, const char *data, size_t len)
@@ -790,7 +790,7 @@ static int loose_backend__write(git_oid *oid, git_odb_backend *_backend, const v
 	if ((error = git_futils_mkpath2file(final_path, GIT_OBJECT_DIR_MODE)) < GIT_SUCCESS)
 		goto cleanup;
 
-	return git_filebuf_commit_at(&fbuf, final_path);
+	return git_filebuf_commit_at(&fbuf, final_path, GIT_OBJECT_FILE_MODE);
 
 cleanup:
 	git_filebuf_cleanup(&fbuf);

src/pack.h

@@ -15,6 +15,8 @@
 #include "mwindow.h"
 #include "odb.h"
 
+#define GIT_PACK_FILE_MODE 0444
+
 #define PACK_SIGNATURE 0x5041434b	/* "PACK" */
 #define PACK_VERSION 2
 #define pack_version_ok(v) ((v) == htonl(2) || (v) == htonl(3))

src/reflog.c

@@ -71,7 +71,7 @@ static int reflog_write(const char *log_path, const char *oid_old,
 	}
 
 	git_filebuf_write(&fbuf, log.ptr, log.size);
-	error = git_filebuf_commit(&fbuf);
+	error = git_filebuf_commit(&fbuf, GIT_REFLOG_FILE_MODE);
 
 	git_buf_free(&log);
 	return error == GIT_SUCCESS ? GIT_SUCCESS : git__rethrow(error, "Failed to write reflog");

src/reflog.h

@@ -13,6 +13,7 @@
 
 #define GIT_REFLOG_DIR "logs/"
 #define GIT_REFLOG_DIR_MODE 0777
+#define GIT_REFLOG_FILE_MODE 0666
 
 #define GIT_REFLOG_SIZE_MIN (2*GIT_OID_HEXSZ+2+17)
 

src/refs.c

@@ -9,6 +9,7 @@
 #include "hash.h"
 #include "repository.h"
 #include "fileops.h"
+#include "pack.h"
 
 #include <git2/tag.h>
 #include <git2/object.h>
@@ -357,7 +358,7 @@ static int loose_write(git_reference *ref)
 		goto unlock;
 	}
 
-	error = git_filebuf_commit(&file);
+	error = git_filebuf_commit(&file, GIT_REFS_FILE_MODE);
 
 	if (p_stat(ref_path, &st) == GIT_SUCCESS)
 		ref->mtime = st.st_mtime;
@@ -870,7 +871,7 @@ cleanup:
 	/* if we've written all the references properly, we can commit
 	 * the packfile to make the changes effective */
 	if (error == GIT_SUCCESS) {
-		error = git_filebuf_commit(&pack_file);
+		error = git_filebuf_commit(&pack_file, GIT_PACK_FILE_MODE);
 
 		/* when and only when the packfile has been properly written,
 		 * we can go ahead and remove the loose refs */

src/refs.h

@@ -17,6 +17,7 @@
 #define GIT_REFS_TAGS_DIR GIT_REFS_DIR "tags/"
 #define GIT_REFS_REMOTES_DIR GIT_REFS_DIR "remotes/"
 #define GIT_REFS_DIR_MODE 0777
+#define GIT_REFS_FILE_MODE 0666
 
 #define GIT_RENAMED_REF_FILE GIT_REFS_DIR "RENAMED-REF"
 

src/repository.h

@@ -24,7 +24,6 @@
 #define GIT_DIR DOT_GIT "/"
 #define GIT_DIR_MODE 0755
 #define GIT_BARE_DIR_MODE 0777
-#define GIT_INDEX_FILE "index"
 
 struct git_object {
 	git_cached_obj cached;

src/transports/http.c

@@ -15,6 +15,7 @@
 #include "buffer.h"
 #include "pkt.h"
 #include "refs.h"
+#include "pack.h"
 #include "fetch.h"
 #include "filebuf.h"
 #include "repository.h"
@@ -702,7 +703,7 @@ static int http_download_pack(char **out, git_transport *transport, git_reposito
 	}
 
 	/* A bit dodgy, but we need to keep the pack at the temporary path */
-	error = git_filebuf_commit_at(&file, file.path_lock);
+	error = git_filebuf_commit_at(&file, file.path_lock, GIT_PACK_FILE_MODE);
 
 cleanup:
 	if (error < GIT_SUCCESS)

tests-clay/core/dirent.c

@@ -31,7 +31,7 @@ static void setup(walk_data *d)
 	state_loc = d;
 
 	for (n = d->names; n->name; n++) {
-		git_file fd = p_creat(n->name, 0600);
+		git_file fd = p_creat(n->name, 0666);
 		cl_assert(fd >= 0);
 		p_close(fd);
 		n->count = 0;

tests-clay/core/filebuf.c

@@ -27,14 +27,14 @@ void test_core_filebuf__1(void)
 	int fd;
 	char test[] = "test";
 
-	fd = p_creat(test, 0644);
+	fd = p_creat(test, 0666);
 	cl_must_pass(fd);
 	cl_must_pass(p_write(fd, "libgit2 rocks\n", 14));
 	cl_must_pass(p_close(fd));
 
 	cl_git_pass(git_filebuf_open(&file, test, GIT_FILEBUF_APPEND));
 	cl_git_pass(git_filebuf_printf(&file, "%s\n", "libgit2 rocks"));
-	cl_git_pass(git_filebuf_commit(&file));
+	cl_git_pass(git_filebuf_commit(&file, 0666));
 
 	cl_must_pass(p_unlink(test));
 }
@@ -51,7 +51,7 @@ void test_core_filebuf__2(void)
 
 	cl_git_pass(git_filebuf_open(&file, test, 0));
 	cl_git_pass(git_filebuf_write(&file, buf, sizeof(buf)));
-	cl_git_pass(git_filebuf_commit(&file));
+	cl_git_pass(git_filebuf_commit(&file, 0666));
 
 	cl_must_pass(p_unlink(test));
 }

tests-clay/core/rmdir.c

@@ -39,7 +39,7 @@ void test_core_rmdir__fail_to_delete_non_empty_dir(void)
 
 	git_path_join(file, empty_tmp_dir, "/two/file.txt");
 
-	fd = p_creat(file, 0755);
+	fd = p_creat(file, 0666);
 	cl_assert(fd >= 0);
 
 	cl_must_pass(p_close(fd));

tests-clay/status/single.c

@@ -10,7 +10,7 @@ cleanup__remove_file(void *_file)
 static void
 file_create(const char *filename, const char *content)
 {
-	int fd = p_creat(filename, 0644);
+	int fd = p_creat(filename, 0666);
 	cl_assert(fd >= 0);
 	cl_must_pass(p_write(fd, content, strlen(content)));
 	cl_must_pass(p_close(fd));

tests/t00-core.c

@@ -264,7 +264,7 @@ static int setup(walk_data *d)
 	state_loc = d;
 
 	for (n = d->names; n->name; n++) {
-		git_file fd = p_creat(n->name, 0600);
+		git_file fd = p_creat(n->name, 0666);
 		if (fd < 0)
 			return GIT_ERROR;
 		p_close(fd);
@@ -479,14 +479,14 @@ BEGIN_TEST(filebuf1, "make sure GIT_FILEBUF_APPEND works as expected")
 	int fd;
 	char test[] = "test";
 
-	fd = p_creat(test, 0644);
+	fd = p_creat(test, 0666);
 	must_pass(fd);
 	must_pass(p_write(fd, "libgit2 rocks\n", 14));
 	must_pass(p_close(fd));
 
 	must_pass(git_filebuf_open(&file, test, GIT_FILEBUF_APPEND));
 	must_pass(git_filebuf_printf(&file, "%s\n", "libgit2 rocks"));
-	must_pass(git_filebuf_commit(&file));
+	must_pass(git_filebuf_commit(&file, 0666));
 
 	must_pass(p_unlink(test));
 END_TEST
@@ -499,7 +499,7 @@ BEGIN_TEST(filebuf2, "make sure git_filebuf_write writes large buffer correctly"
 	memset(buf, 0xfe, sizeof(buf));
 	must_pass(git_filebuf_open(&file, test, 0));
 	must_pass(git_filebuf_write(&file, buf, sizeof(buf)));
-	must_pass(git_filebuf_commit(&file));
+	must_pass(git_filebuf_commit(&file, 0666));
 
 	must_pass(p_unlink(test));
 END_TEST

tests/t04-commit.c

@@ -690,6 +690,10 @@ BEGIN_TEST(write0, "write a new commit object from memory to disk")
 
 	must_be_true(strcmp(git_commit_message(commit), COMMIT_MESSAGE) == 0);
 
+#ifndef GIT_WIN32
+	must_be_true((loose_object_mode(REPOSITORY_FOLDER, (git_object *)commit) & 0777) == GIT_OBJECT_FILE_MODE);
+#endif
+
 	must_pass(remove_loose_object(REPOSITORY_FOLDER, (git_object *)commit));
 
 	git_commit_close(commit);

tests/t06-index.c

@@ -179,7 +179,7 @@ BEGIN_TEST(add0, "add a new file to the index")
 	must_pass(git_futils_mkpath2file(TEMP_REPO_FOLDER "myrepo/test.txt", 0777));
 	must_pass(git_filebuf_open(&file, TEMP_REPO_FOLDER "myrepo/test.txt", 0));
 	must_pass(git_filebuf_write(&file, "hey there\n", 10));
-	must_pass(git_filebuf_commit(&file));
+	must_pass(git_filebuf_commit(&file, 0666));
 
 	/* Store the expected hash of the file/blob
 	 * This has been generated by executing the following

tests/t08-tag.c

@@ -189,6 +189,9 @@ BEGIN_TEST(write0, "write a tag to the repository and read it again")
 	must_pass(git_reference_lookup(&ref_tag, repo, "refs/tags/the-tag"));
 	must_be_true(git_oid_cmp(git_reference_oid(ref_tag), &tag_id) == 0);
 	must_pass(git_reference_delete(ref_tag));
+#ifndef GIT_WIN32
+	must_be_true((loose_object_mode(REPOSITORY_FOLDER, (git_object *)tag) & 0777) == GIT_OBJECT_FILE_MODE);
+#endif
 
 	must_pass(remove_loose_object(REPOSITORY_FOLDER, (git_object *)tag));
 

tests/t09-tree.c

@@ -202,6 +202,7 @@ BEGIN_TEST(write3, "write a hierarchical tree from a memory")
 	must_be_true(2 == git_tree_entrycount(tree));
 #ifndef GIT_WIN32
 	must_be_true((loose_object_dir_mode(TEMP_REPO_FOLDER, (git_object *)tree) & 0777) == GIT_OBJECT_DIR_MODE);
+	must_be_true((loose_object_mode(TEMP_REPO_FOLDER, (git_object *)tree) & 0777) == GIT_OBJECT_FILE_MODE);
 #endif
 	git_tree_close(tree);
 

tests/t12-repo.c

@@ -351,7 +351,7 @@ static int write_file(const char *path, const char *content)
 			return error;
 	}
 
-	file = git_futils_creat_withpath(path, 0777, 0644);
+	file = git_futils_creat_withpath(path, 0777, 0666);
 	if (file < GIT_SUCCESS)
 		return file;
 

tests/t15-config.c

@@ -319,7 +319,7 @@ BEGIN_TEST(config16, "add a variable in a new section")
 	/* As the section wasn't removed, owerwrite the file */
 	must_pass(git_filebuf_open(&buf, CONFIG_BASE "/config10", 0));
 	must_pass(git_filebuf_write(&buf, "[empty]\n", strlen("[empty]\n")));
-	must_pass(git_filebuf_commit(&buf));
+	must_pass(git_filebuf_commit(&buf, 0666));
 END_TEST
 
 BEGIN_TEST(config17, "prefixes aren't broken")

tests/t18-status.c

@@ -37,7 +37,7 @@ static int file_create(const char *filename, const char *content)
 {
 	int fd;
 
-	fd = p_creat(filename, 0644);
+	fd = p_creat(filename, 0666);
 	if (fd == 0)
 		return GIT_ERROR;
 	if (p_write(fd, content, strlen(content)) != 0)
@@ -400,7 +400,7 @@ BEGIN_TEST(singlestatus3, "test retrieving status for a new file in an empty rep
 	must_pass(remove_placeholders(TEST_STD_REPO_FOLDER, "dummy-marker.txt"));
 
 	git_path_join(file_path, TEMP_REPO_FOLDER, filename);
-	fd = p_creat(file_path, 0644);
+	fd = p_creat(file_path, 0666);
 	must_pass(fd);
 	must_pass(p_write(fd, "new_file\n", 9));
 	must_pass(p_close(fd));

tests/test_helpers.c

@@ -110,6 +110,18 @@ void locate_loose_object(const char *repository_folder, git_object *object, char
 		*out_folder = top_folder;
 }
 
+int loose_object_mode(const char *repository_folder, git_object *object)
+{
+	char *object_path;
+	struct stat st;
+
+	locate_loose_object(repository_folder, object, &object_path, NULL);
+	assert(p_stat(object_path, &st) == 0);
+	free(object_path);
+
+	return st.st_mode;
+}
+
 int loose_object_dir_mode(const char *repository_folder, git_object *object)
 {
 	char *object_path;
@@ -175,7 +187,7 @@ int copy_file(const char *src, const char *dst)
 	if (git_futils_readbuffer(&source_buf, src) < GIT_SUCCESS)
 		return GIT_ENOTFOUND;
 
-	dst_fd = git_futils_creat_withpath(dst, 0777, 0644);
+	dst_fd = git_futils_creat_withpath(dst, 0777, 0666);
 	if (dst_fd < 0)
 		goto cleanup;
 

tests/test_helpers.h

@@ -65,6 +65,7 @@ extern int cmp_objects(git_rawobj *o, object_data *d);
 
 extern void locate_loose_object(const char *odb_dir, git_object *object, char **out, char **out_folder);
 
+extern int loose_object_mode(const char *odb_dir, git_object *object);
 extern int loose_object_dir_mode(const char *odb_dir, git_object *object);
 
 extern int remove_loose_object(const char *odb_dir, git_object *object);