X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/ce5bdf84b3233f11a2ad19035f649139515e4b5a..f1b6d06c6891946599c4ae59df7264cf819c8315:/doc/bugs/anonymous_git_push_broken_again.mdwn

diff --git a/doc/bugs/anonymous_git_push_broken_again.mdwn b/doc/bugs/anonymous_git_push_broken_again.mdwn
index 4b15fd2d5..3e34b553a 100644
--- a/doc/bugs/anonymous_git_push_broken_again.mdwn
+++ b/doc/bugs/anonymous_git_push_broken_again.mdwn
@@ -25,3 +25,41 @@ Anon git push is broken again
 >> you decide to drop it from `ikiwiki.info`, would you leave the code as-is,
 >> or drop it as broken? Any further clues what went wrong this time?
 >> *—[[Jon]], 2021-01-13*
+
+----
+
+The HEAD.lock permissions error does not come from the post-receive hook or
+from ikiwiki when it runs it. Instead, stracing git-daemon shows that it
+happens after ikiwiki has checked the push and accepted it, and exited
+successfully. 
+
+So the problem is that git-daemon is unable to write to the git repo.
+
+	drwxr-sr-x+ 8 b-git-annex b-git-annex 4096 Mar 29 17:07 /home/b-git-annex/source.git/
+
+ikiwiki-hosting's ikisite is supposed to arrange for git-daemon
+to be able to write there by using an ACL, so something about that
+must be what is broken now. --[[Joey]]
+
+Ok, found the problem. ikisite runs setfacl, and that does the right thing.
+Then ikisite runs chmod on the source.git directory (to make it suid as seen
+above). That seems to mess up the ACLs that were set earlier.
+
+The diff from good to bad ACLs, as shown by getfacl is:
+
+	-group::rwx
+	-group:ikiwiki-anon:rwx
+	-group:b-ikiwiki:rwx
+	-group:b-git-annex:rwx
+	-mask::rwx
+	+group::rwx	#effective:r-x
+	+group:ikiwiki-anon:rwx	#effective:r-x
+	+group:b-ikiwiki:rwx	#effective:r-x
+	+group:b-git-annex:rwx	#effective:r-x
+	+mask::r-x
+
+I don't understand ACLs or how a chmod could clear them but ok, ikisite needs
+to chmod before setting the ACLS.
+
+This is not an ikiwiki bug and I'll fix it in ikisite-hosting then. [[done]]
+--[[Joey]]