1

I'm about to work on a new project and the .gitignore file is accessible to the web which is a bit of a security leak.

The .gitignore files permissions are 644 i.e. -rw-r--r--. The project is on bitbucket.org, perhaps this requires the file to be accessible for the web?

I set up .git once before for a project with the below permisions

drwxr-xr-x  8 www-data www-data   4096 Jan 13 09:58 .git
-r--------  1 www-data www-data    622 Dec 17 10:52 .gitignore

So I'm just wondering what the correct permission should be on these? In my research I've only come across info on setting git config's fileMode & permissions on hooks.

jub0bs
  • 60,866
  • 25
  • 183
  • 186
Holly
  • 7,462
  • 23
  • 86
  • 140
  • 1
    My personal approach would be to have the site root in a subdirectory, which gets around this issue. If that's not possible, use `.htaccess` to deny access to files such as `.gitignore` or anything else git-related. – Adrian Wragg Jan 21 '16 at 10:08
  • 2
    (or, use a build / deployment system that only deploys the files required to run, not maintain, the code.) – Adrian Wragg Jan 21 '16 at 10:09
  • Why would the `.gitignore` permissions be relevant? – jub0bs Jan 21 '16 at 10:17
  • @Jubobs I think they're trying to "hide" it from the web server, although the fact that it's owned by www-data in the first place means it's the wrong approach. – Adrian Wragg Jan 21 '16 at 10:21

2 Answers2

0

So I'm just wondering what the correct permission should be on these

Since this file is only a configuration file which tell git to ignore files locally on your repository, you can set it with any permissions you would like to.

.gitignore is published with in your source code so if you wish to "ignore" certain files in your repo without adding them to the .gitignore if you are afraid to publish data on the web, you can use this flag:

You can try and use the assume-unchanged flag
https://git-scm.com/docs/git-update-index

--[no-]assume-unchanged

When this flag is specified, the object names recorded for the paths are not updated.

Instead, this option sets/unsets the "assume unchanged" bit for the paths.

When the "assume unchanged" bit is on, the user promises not to change the file and allows Git to assume that the working tree file matches what is recorded in the index.

If you want to change the working tree file, you need to unset the bit to tell Git. This is sometimes helpful when working with a big project on a filesystem that has very slow lstat(2) system call (e.g. cifs).

Git will fail (gracefully) in case it needs to modify this file in the index e.g. when merging in a commit; thus, in case the assumed-untracked file is changed upstream, you will need to handle the situation manually.

enter image description here

CodeWizard
  • 128,036
  • 21
  • 144
  • 167
-1

This file is not harmful. My permissions are like this:

-rw-r--r--   1 www-data www-data  143B Jan  7 00:47 .gitignore
Barett
  • 5,826
  • 6
  • 51
  • 55
Meku
  • 107
  • 4