Handle more file writes correctly in shared repos

dscho · gitster · commit ea56518dfe4c · 2016-01-11T14:04:29.000-08:00
In shared repositories, we have to be careful when writing files whose
permissions do not allow users other than the owner to write them.

In particular, we force the marks file of fast-export and the FETCH_HEAD
when fetching to be rewritten from scratch.

This commit does not touch other calls to fopen() that want to
write files:

 - commands that write to working tree files (core.sharedRepository
   does not affect permission bits of working tree files),
   e.g. .rej file created by "apply --reject", result of applying a
   previous conflict resolution by "rerere", "git merge-file".

 - git am, when splitting mails (git-am correctly cleans up its directory
   after finishing, so there is no need to share those files between users)

 - git submodule clone, when writing the .git file, because the file
   will not be overwritten

 - git_terminal_prompt() in compat/terminal.c, because it is not writing to
   a file at all

 - git diff --output, because the output file is clearly not intended to be
   shared between the users of the current repository

 - git fast-import, when writing a crash report, because the reports' file
   names are unique due to an embedded process ID

 - mailinfo() in mailinfo.c, because the output is clearly not intended to
   be shared between the users of the current repository

 - check_or_regenerate_marks() in remote-testsvn.c, because this is only
   used for Git's internal testing

 - git fsck, when writing lost&amp;found blobs (this should probably be
   changed, but left as a low-hanging fruit for future contributors).

Note that this patch does not touch callers of write_file() and
write_file_gently(), which would benefit from the same scrutiny as
to usage in shared repositories.  Most notable users are branch,
daemon, submodule &amp; worktree, and a worrisome call in transport.c
when updating one ref (which ignores the shared flag).

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/builtin/fast-export.c b/builtin/fast-export.c
@@ -880,7 +880,7 @@ static void export_marks(char *file)
 	FILE *f;
 	int e = 0;
 
-	f = fopen(file, "w");
+	f = fopen_for_writing(file);
 	if (!f)
 		die_errno("Unable to open marks file %s for writing.", file);
 
diff --git a/builtin/fetch.c b/builtin/fetch.c
@@ -836,7 +836,7 @@ static void check_not_current_branch(struct ref *ref_map)
 static int truncate_fetch_head(void)
 {
 	const char *filename = git_path_fetch_head();
-	FILE *fp = fopen(filename, "w");
+	FILE *fp = fopen_for_writing(filename);
 
 	if (!fp)
 		return error(_("cannot open %s: %s\n"), filename, strerror(errno));

Original file line number	Diff line number	Diff line change
`@@ -836,7 +836,7 @@ static void check_not_current_branch(struct ref *ref_map)`
`836`	`836`	`static int truncate_fetch_head(void)`
`837`	`837`	`{`
`838`	`838`	`const char *filename = git_path_fetch_head();`
`839`		`- FILE *fp = fopen(filename, "w");`
	`839`	`+ FILE *fp = fopen_for_writing(filename);`
`840`	`840`
`841`	`841`	`if (!fp)`
`842`	`842`	`return error(_("cannot open %s: %s\n"), filename, strerror(errno));`