in a setup where an rsync(+gnupg) remote is shared among different users of the same git-annex repository (ie, the people copying to there use different accounts on the rsync server), acls are not honored under some circumstances.
the error message reads as follows:
copy …filename… (to prometheus...) Reading passphrase from file descriptor 11
sending incremental file list
rsync: recv_generator: mkdir "/home/shared/photos/encrypted_storage/9a6/0ff" failed: Permission denied (13)
*** Skipping any contents from this failed directory ***
9a6/0ff/
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1070) [sender=3.0.8]
sent 185 bytes received 18 bytes 135.33 bytes/sec
total size is 2119419 speedup is 10440.49
This could have failed because --fast is enabled.
failed
the acl used in my particular case is:
# file: .
# owner: chrysn
# group: chrysn
user::rwx
group::rwx
group:family:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:family:rwx
default:mask::rwx
default:other::r-x
sub-directories are observed to have diverging permissions, though:
# file: 794
# owner: chrysn
# group: chrysn
user::rwx
group::rwx #effective:r-x
group:family:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::rwx
default:group:family:rwx
default:mask::rwx
default:other::r-x
something seems to apply the umask (default 022) and revoke group write access from the files, overruling the acl. this is not what a umask is normally used for, and smells of coreutils slavishly observing posix specs that don't consider all features -- the observed effect is exactly what's described there.
the git annex version used is 3.20121017 as in debian, the receiving site uses rsync 3.0.7; the affected directories come from a time when these very versions are known to have been used.
this is probably not a bug of git-annex alone, but affects its operation and might be solvable by invoking rsync differently.
(this is kind of a follow-up on "permission denied" in fsck on shared repo)
remote.prometheus.annex-rsync-options
with rsync options such as --acls or --no-aclsthe behavior is rooted in rsync, which behaves similar to
mkdir -p
. it can probably be worked around by configuring the rsync option--chmod=775
, but that would add executability to files.i've opened a bug in rsync's bug tracker at https://bugzilla.samba.org/show_bug.cgi?id=9377, let's see what the developer says.
rsync-options
to--chmod=755
, you can also set it to--chmod=ugo=rX
. This will cause the executable bit to be set only when the source file is already executable.