Please describe the problem.

I just found that the annexed files are at risk of being altered as far as I understand when the repository is shared with other users.

What steps will reproduce the problem?

Go to a temporary location for these steps.

$ git init .
$ git annex init main
$ git config core.sharedRepository group
$ echo foo > foo
$ git annex add foo
$ git annex sync

One can verify the file in the annex (aka in .git.annex/objects) is writable by the user and group.

$ ls -l foo
lrwxrwxrwx  1 christian christian 178 17. Aug 14:50 foo -> .git/annex/objects/91/9x/SHA256E-s4--b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c/SHA256E-s4--b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
$ ls -lL foo
-rw-rw-r-- 1 christian christian 4 17. Aug 16:03 foo

This makes it possible to alter the file in the annex without notification or previous unlocking.

$ echo bar > foo
$ git status
On branch master
nothing to commit, working tree clean

My understanding is that the files in the annex should be read-only to prevent just this. Only by git annex unlock a full copy is generated that can be altered by external programs.

What version of git-annex are you using? On what operating system?

$ git annex version 
git-annex version: 10.20220624-g17e4081d4
build flags: Assistant Webapp Pairing Inotify DBus DesktopNotify TorrentParser MagicMime DebugLocks Feeds Testsuite S3 WebDAV
dependency versions: aws-0.22 bloomfilter-2.0.1.0 cryptonite-0.30 DAV-1.3.4 feed-1.3.2.1 ghc-9.0.2 http-client-0.7.11 persistent-sqlite-2.13.0.3 torrent-10000.1.1 uuid-1.3.15 yesod-1.6.2
key/value backends: SHA256E SHA256 SHA512E SHA512 SHA224E SHA224 SHA384E SHA384 SHA3_256E SHA3_256 SHA3_512E SHA3_512 SHA3_224E SHA3_224 SHA3_384E SHA3_384 SKEIN256E SKEIN256 SKEIN512E SKEIN512 BLAKE2B256E BLAKE2B256 BLAKE2B512E BLAKE2B512 BLAKE2B160E BLAKE2B160 BLAKE2B224E BLAKE2B224 BLAKE2B384E BLAKE2B384 BLAKE2BP512E BLAKE2BP512 BLAKE2S256E BLAKE2S256 BLAKE2S160E BLAKE2S160 BLAKE2S224E BLAKE2S224 BLAKE2SP256E BLAKE2SP256 BLAKE2SP224E BLAKE2SP224 SHA1E SHA1 MD5E MD5 WORM URL X*
remote types: git gcrypt p2p S3 bup directory rsync web bittorrent webdav adb tahoe glacier ddar git-lfs httpalso borg hook external
operating system: linux x86_64
supported repository versions: 8 9 10
upgrade supported from repository versions: 0 1 2 3 4 5 6 7 8 9 10
local repository version: 8

Please provide any additional information below.

The transcript is interleaved in the steps above.

When repeating all steps but skipping the step git config core.sharedRepository group, the result is as expected:

$ ls -l foo
lrwxrwxrwx 1 christian christian 178 17. Aug 16:22 foo -> .git/annex/objects/91/9x/SHA256E-s4--b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c/SHA256E-s4--b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
$ ls -lL foo
-r--r--r-- 1 christian christian 4 17. Aug 16:22 foo

My motivation here is the following: I want to use the git-annex as an (external) storage backend for my Nextcloud. That will allow me to store the files deduplicated and effectively manageable way. Also, I can use it to have multiple views on my files depending on the need. As the Nextcloud server user is different from my personal user, I need a way to allow both users access to the annex.

Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders)

I have used git-annex in a single-user scenario yet. So far it works like a charm. I need more time to learn to get a hold of all functions but this is okay.

done in v10 --Joey