Hello,
I have the problem that, while git-annex preserves the file access rights (user, group, others) for the actual file, it does not make sure that others can access this file through the directory tree above said file:
/tmp $ mkdir test
/tmp $ chown claudius:media test
/tmp $ chmod 750 test
/tmp $ ls -dl test
drwxr-x--- 2 claudius media 40 2012-01-23 19:27 test/
/tmp $ cd test
/tmp/test $ git init --shared=all
Initialized empty shared Git repository in /tmp/test/.git/
/tmp/test $ git annex init "test"
init test ok
/tmp/test $ echo 123 > abc
/tmp/test $ chmod 640 abc
/tmp/test $ chown claudius:media abc
/tmp/test $ ls -l
total 4
-rw-r----- 1 claudius media 4 2012-01-23 19:27 abc
/tmp/test $ git annex add .
add abc (checksum...) ok
(Recording state in git...)
/tmp/test $ ls -l
total 4
lrwxrwxrwx 1 claudius claudius 176 2012-01-23 19:27 abc -> .git/annex/objects/8F/pj/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b
/tmp/test $ ls -l .git/annex/objects/8F/pj/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b
-r--r----- 1 claudius media 4 2012-01-23 19:27 .git/annex/objects/8F/pj/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b
/tmp/test $ ls -lR .git/annex/objects/
.git/annex/objects/:
total 0
drwx--S--- 3 claudius claudius 60 2012-01-23 19:28 8F/
.git/annex/objects/8F:
total 0
drwx--S--- 3 claudius claudius 60 2012-01-23 19:28 pj/
.git/annex/objects/8F/pj:
total 0
dr-x--S--- 2 claudius claudius 60 2012-01-23 19:28 SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b/
.git/annex/objects/8F/pj/SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b:
total 4
-r--r----- 1 claudius media 4 2012-01-23 19:27 SHA256-s4--181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b
/tmp/test $ stat .git/annex/objects/
File: `.git/annex/objects/'
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: 11h/17d Inode: 2365970 Links: 3
Access: (2700/drwx--S---) Uid: ( 1000/claudius) Gid: ( 1000/claudius)
Access: 2012-01-23 19:28:10.614948386 +0100
Modify: 2012-01-23 19:28:10.614948386 +0100
Change: 2012-01-23 19:28:10.614948386 +0100
Birth: -
The use case is that I have a rather large collection of music I would like to manage with git-annex in various locations (all of it on my external hard drive, some on my notebook etc. This music is played by MPD, which can access the collection because it is in the "media" group. After changing to git-annex, however, this fails.
I tried to avoid this specific problem by declaring the git repository to be shared, which does appear to have some effect on the other files in .git:
/tmp/test $ ls -l .git
total 16
drwx--S--- 5 claudius claudius 160 2012-01-23 19:28 annex/
drwxrwsr-x 2 claudius claudius 40 2012-01-23 19:27 branches/
-rw-rw-r-- 1 claudius claudius 218 2012-01-23 19:27 config
-rw-rw-r-- 1 claudius claudius 73 2012-01-23 19:27 description
-rw-rw-r-- 1 claudius claudius 23 2012-01-23 19:27 HEAD
drwxrwsr-x 2 claudius claudius 220 2012-01-23 19:27 hooks/
-rw-rw-r-- 1 claudius claudius 104 2012-01-23 19:28 index
drwxrwsr-x 2 claudius claudius 60 2012-01-23 19:27 info/
drwxrwsr-x 3 claudius claudius 60 2012-01-23 19:27 logs/
drwxrwsr-x 15 claudius claudius 300 2012-01-23 19:28 objects/
drwxrwsr-x 4 claudius claudius 80 2012-01-23 19:27 refs/
I could obviously try to change the rights of annex/, annex/objects etc., but I would like to avoid having to adapt them each time a new folder is added somewhere below annex/objects/.
My knowledge of git and especially git-annex is not too good, so it might well be that I missed something obvious. Any hints? 
(And thank you, of course, for taking the time to read all this)
You say you started the repo with "git init --shared" .. but what that's really meant for is bare repositories, which can have several users pushing into it, not a non-bare repository.
The strange mode on the directories "dr-x--S---" and files "-r--r-----" must be due to your umask setting though. My umask is 022 and the directories and files under
.git/annex/objectsare "drwxr-xr-x" and "-r--r--r--", which allows anyone to read them unless an upper directory blocks it -- and with this umask, none do unless I explicitly remove permissions from one to lock down a repository.About mpd, the obvious fix is to run mpd not as a system user but as yourself. I put "@reboot mpd" in my crontab to do this.
Thank you for your comment! Indeed, setting the umask to, for example, 022 has the desired effect that annex/objects etc. are executable (and in this special case also writable), my previous umask setting was 077; the "strange" permissions on the git directories was probably due to --shared=all, and the mode of "440" on the files within the git-annex tree is correct (the original file was 640 and stripped of its write permission).
Using this umask setting and newgrp to switch the default group, I was successfully able to set up the repositories.
However, I would like to suggest adding the execute bit to the directories below .git/annex/objects/ per default, even if the umask of the current shell differs. As the correct rights are already preserved in the actual files (minus their write permission) together with correct owner and group, the files are still protected the same way as previously, and because +x does not allow directory listings, no additional information can leak out either. Not having to set the umask to something "sensible" before operating git-annex would be a huge plus, too
The reason why I am not running MPD as my user is that I am a bit wary of running an application even exposed to the local network as my main user, and I see nothing wrong with running it as its own user.
Thank you again for your help and the time you put into this project!