The function fopen_for_writing(), which was added in 79d7582e32 (commit: allow editing the commit message even in shared repos, 2016-01-06) and used for overwriting FETCH_HEAD since ea56518dfe (Handle more file writes correctly in shared repos, 2016-01-11), didn't do it correctly in shared repositories under Linux. This happened because in this situation the file FETCH_HEAD has mode 644 and attempting to overwrite it when running git-fetch under an account different from the one that was had originally created it, failed with EACCES, and not EPERM. However fopen_for_writing() only checked for the latter, and not the former, so it didn't even try removing the existing file and recreating it, as it was supposed to do. Fix this by checking for either EACCES or EPERM. The latter doesn't seem to be ever returned in a typical situation by open(2) under Linux, but keep checking for it as it is presumably returned under some other platform, although it's not really clear where does this happen. Signed-off-by: Vadim Zeitlin <vz-git@zeitlins.org> --- I couldn't find any system that would return EPERM for a "normal" permissions denied error, so maybe it's not worth checking for it, but I wanted to minimize the number of changes to the existing behaviour. At the very least, testing for EACCES is definitely necessary under Linux, where openat(2) returns it, and not EPERM, in the situation described above, i.e. non-writable file (even if it's in a writable directory, allowing to unlink it without problems). --- wrapper.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wrapper.c b/wrapper.c index e1eaef2e16..f5607241da 100644 --- a/wrapper.c +++ b/wrapper.c @@ -373,11 +373,12 @@ FILE *fopen_for_writing(const char *path) { FILE *ret = fopen(path, "w"); - if (!ret && errno == EPERM) { + if (!ret && (errno == EACCES || errno == EPERM)) { + int open_error = errno; if (!unlink(path)) ret = fopen(path, "w"); else - errno = EPERM; + errno = open_error; } return ret; } -- 2.26.0.rc2
Hi Vadim, On Thu, 19 Mar 2020, Vadim Zeitlin wrote: > The function fopen_for_writing(), which was added in 79d7582e32 (commit: > allow editing the commit message even in shared repos, 2016-01-06) and > used for overwriting FETCH_HEAD since ea56518dfe (Handle more file > writes correctly in shared repos, 2016-01-11), didn't do it correctly in > shared repositories under Linux. > > This happened because in this situation the file FETCH_HEAD has mode 644 I wonder why that is. In a shared repository, it should have mode 664, I thought. > and attempting to overwrite it when running git-fetch under an account > different from the one that was had originally created it, failed with > EACCES, and not EPERM. However fopen_for_writing() only checked for the > latter, and not the former, so it didn't even try removing the existing > file and recreating it, as it was supposed to do. > > Fix this by checking for either EACCES or EPERM. The latter doesn't seem > to be ever returned in a typical situation by open(2) under Linux, but > keep checking for it as it is presumably returned under some other > platform, although it's not really clear where does this happen. > > Signed-off-by: Vadim Zeitlin <vz-git@zeitlins.org> > --- > I couldn't find any system that would return EPERM for a "normal" > permissions denied error, so maybe it's not worth checking for it, but I > wanted to minimize the number of changes to the existing behaviour. At the > very least, testing for EACCES is definitely necessary under Linux, where > openat(2) returns it, and not EPERM, in the situation described above, i.e. > non-writable file (even if it's in a writable directory, allowing to unlink > it without problems). That rationale makes sense to me, as does the patch. Thanks, Johannes > --- > wrapper.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/wrapper.c b/wrapper.c > index e1eaef2e16..f5607241da 100644 > --- a/wrapper.c > +++ b/wrapper.c > @@ -373,11 +373,12 @@ FILE *fopen_for_writing(const char *path) > { > FILE *ret = fopen(path, "w"); > > - if (!ret && errno == EPERM) { > + if (!ret && (errno == EACCES || errno == EPERM)) { > + int open_error = errno; > if (!unlink(path)) > ret = fopen(path, "w"); > else > - errno = EPERM; > + errno = open_error; > } > return ret; > } > -- > 2.26.0.rc2 >
On Wed, 25 Mar 2020 20:04:09 +0100 Johannes Schindelin wrote: JS> Hi Vadim, Hello Johannes and thanks for your reply! JS> On Thu, 19 Mar 2020, Vadim Zeitlin wrote: JS> JS> > The function fopen_for_writing(), which was added in 79d7582e32 (commit: JS> > allow editing the commit message even in shared repos, 2016-01-06) and JS> > used for overwriting FETCH_HEAD since ea56518dfe (Handle more file JS> > writes correctly in shared repos, 2016-01-11), didn't do it correctly in JS> > shared repositories under Linux. JS> > JS> > This happened because in this situation the file FETCH_HEAD has mode 644 JS> JS> I wonder why that is. In a shared repository, it should have mode 664, I JS> thought. This file is created using a simple fopen("w") and so is subject to umask. With the usual default umask value (022) its mode would be 644, regardless of the repository settings. [...snip my original description...] JS> That rationale makes sense to me, as does the patch. Sorry for a possibly stupid question, but what is the next thing to do now? The instructions in Documentation/SubmittingPatches indicate that I should wait until the "list forms consensus that [...] your patch is good", but it's not quite clear what indicates that a consensus has been reached. Is your comment above enough or should I wait for something else? And if/when it has been reached, do I really I need to resend the patch to the maintainer and cc the list as written in that document? I'm a bit surprised by this because I don't see (most) patches being resent to this list. This is obviously very non-urgent, but I'd just like to understand what, if anything, is expected from me. Thanks in advance for your guidance! VZ
Hi Vadim, On Thu, 26 Mar 2020, Vadim Zeitlin wrote: > On Wed, 25 Mar 2020 20:04:09 +0100 Johannes Schindelin wrote: > > JS> Hi Vadim, > > Hello Johannes and thanks for your reply! > > JS> On Thu, 19 Mar 2020, Vadim Zeitlin wrote: > JS> > JS> > The function fopen_for_writing(), which was added in 79d7582e32 (commit: > JS> > allow editing the commit message even in shared repos, 2016-01-06) and > JS> > used for overwriting FETCH_HEAD since ea56518dfe (Handle more file > JS> > writes correctly in shared repos, 2016-01-11), didn't do it correctly in > JS> > shared repositories under Linux. > JS> > > JS> > This happened because in this situation the file FETCH_HEAD has mode 644 > JS> > JS> I wonder why that is. In a shared repository, it should have mode 664, I > JS> thought. > > This file is created using a simple fopen("w") and so is subject to umask. > With the usual default umask value (022) its mode would be 644, regardless > of the repository settings. Maybe we should change that to an `open()` call with the explicit `0666` mode? > [...snip my original description...] > JS> That rationale makes sense to me, as does the patch. > > Sorry for a possibly stupid question, but what is the next thing to do > now? The instructions in Documentation/SubmittingPatches indicate that I > should wait until the "list forms consensus that [...] your patch is good", > but it's not quite clear what indicates that a consensus has been reached. > Is your comment above enough or should I wait for something else? And > if/when it has been reached, do I really I need to resend the patch to > the maintainer and cc the list as written in that document? I'm a bit > surprised by this because I don't see (most) patches being resent to this > list. My take is that this was waiting for a review, and I provided it (*not* asking for any changes), and if there are no further reviews, the patch should make it into the `pu` branch, then `next` and eventually `master`, at which point it will be slated for the next official `.0` version. It might make sense to ask for it to be trickled down into the `maint` branch, too, in case a `v2.26.1` is released. I would be in favor of that, but would not do the asking myself ;-) Ciao, Johannes > > This is obviously very non-urgent, but I'd just like to understand what, > if anything, is expected from me. > > Thanks in advance for your guidance! > VZ >
[-- Attachment #1: Type: TEXT/PLAIN, Size: 2632 bytes --] On Thu, 26 Mar 2020 15:40:47 +0100 (CET) Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote: JS> On Thu, 26 Mar 2020, Vadim Zeitlin wrote: JS> JS> > On Wed, 25 Mar 2020 20:04:09 +0100 Johannes Schindelin wrote: JS> > JS> > JS> Hi Vadim, JS> > JS> > Hello Johannes and thanks for your reply! JS> > JS> > JS> On Thu, 19 Mar 2020, Vadim Zeitlin wrote: JS> > JS> JS> > JS> > The function fopen_for_writing(), which was added in 79d7582e32 (commit: JS> > JS> > allow editing the commit message even in shared repos, 2016-01-06) and JS> > JS> > used for overwriting FETCH_HEAD since ea56518dfe (Handle more file JS> > JS> > writes correctly in shared repos, 2016-01-11), didn't do it correctly in JS> > JS> > shared repositories under Linux. JS> > JS> > JS> > JS> > This happened because in this situation the file FETCH_HEAD has mode 644 JS> > JS> JS> > JS> I wonder why that is. In a shared repository, it should have mode 664, I JS> > JS> thought. JS> > JS> > This file is created using a simple fopen("w") and so is subject to umask. JS> > With the usual default umask value (022) its mode would be 644, regardless JS> > of the repository settings. JS> JS> Maybe we should change that to an `open()` call with the explicit `0666` JS> mode? Hello again, Sorry if I'm missing something, but AFAICS this wouldn't change anything, open() mode argument is still combined with the (negated) umask, and 0666 & !022 would still give 0644. The only ways to give this file the mode of 664 that I know about are to either temporarily reset the "group" byte of umask to 0 or to explicitly call [f]chmod() after creating it. I don't know if this is really worthwhile to do... JS> My take is that this was waiting for a review, and I provided it (*not* JS> asking for any changes), and if there are no further reviews, the patch JS> should make it into the `pu` branch, then `next` and eventually `master`, JS> at which point it will be slated for the next official `.0` version. OK, thanks (both for the review and for the explanations)! JS> It might make sense to ask for it to be trickled down into the `maint` JS> branch, too, in case a `v2.26.1` is released. I would be in favor of that, JS> but would not do the asking myself ;-) This is not really urgent to me, so I don't think I want to bother people with backporting it to `maint` neither, even if I definitely wouldn't have any objections to this. I'd just like this to work in some future version of Git without the workaround we have to use right now (which basically consists in running chmod manually) in the bright future when we upgrade to it. Thanks again, VZ [-- Attachment #2: Type: APPLICATION/PGP-SIGNATURE, Size: 196 bytes --]
[-- Attachment #1: Type: TEXT/PLAIN, Size: 2014 bytes --] On Thu, 26 Mar 2020 15:40:47 +0100 (CET) Johannes Schindelin <Johannes.Schindelin@gmx.de> wrote: JS> On Thu, 26 Mar 2020, Vadim Zeitlin wrote: JS> JS> > On Wed, 25 Mar 2020 20:04:09 +0100 Johannes Schindelin wrote: [...] JS> > JS> That rationale makes sense to me, as does the patch. JS> > JS> > Sorry for a possibly stupid question, but what is the next thing to do JS> > now? The instructions in Documentation/SubmittingPatches indicate that I JS> > should wait until the "list forms consensus that [...] your patch is good", JS> > but it's not quite clear what indicates that a consensus has been reached. JS> > Is your comment above enough or should I wait for something else? And JS> > if/when it has been reached, do I really I need to resend the patch to JS> > the maintainer and cc the list as written in that document? I'm a bit JS> > surprised by this because I don't see (most) patches being resent to this JS> > list. JS> JS> My take is that this was waiting for a review, and I provided it (*not* JS> asking for any changes), and if there are no further reviews, the patch JS> should make it into the `pu` branch, then `next` and eventually `master`, JS> at which point it will be slated for the next official `.0` version. JS> JS> It might make sense to ask for it to be trickled down into the `maint` JS> branch, too, in case a `v2.26.1` is released. I would be in favor of that, JS> but would not do the asking myself ;-) Hello again, Sorry to nag, but I'd like to return to this patch[*] because it looks like it could have fallen through the cracks: there didn't seem to be any more comments about it, except for Johannes' positive review, but it didn't get mentioned in any "What's cooking" threads since then neither. [*] https://public-inbox.org/git/20200319010321.18614-1-vz-git@zeitlins.org/ So I'd just like to ask directly, hoping that it's not inappropriate: Junio, do I need to do anything to get this patch accepted or am I just being too impatient? Thanks in advance, VZ [-- Attachment #2: Type: APPLICATION/PGP-SIGNATURE, Size: 196 bytes --]
Vadim Zeitlin <vz-git@zeitlins.org> writes:
> So I'd just like to ask directly, hoping that it's not inappropriate:
> Junio, do I need to do anything to get this patch accepted or am I just
> being too impatient?
I do not even recall seeing the discussion, so you are right to
suspect that it fell thru the cracks, and it is quite appropriate to
ping the thread directly like you did. Mind resending the patch to
the list, just to make sure nobody else sees any problems with it?
Thanks.
[-- Attachment #1: Type: TEXT/PLAIN, Size: 3321 bytes --] On Mon, 04 May 2020 09:32:44 -0700 Junio C Hamano <gitster@pobox.com> wrote: JCH> Vadim Zeitlin <vz-git@zeitlins.org> writes: JCH> JCH> > So I'd just like to ask directly, hoping that it's not inappropriate: JCH> > Junio, do I need to do anything to get this patch accepted or am I just JCH> > being too impatient? JCH> JCH> I do not even recall seeing the discussion, so you are right to JCH> suspect that it fell thru the cracks, and it is quite appropriate to JCH> ping the thread directly like you did. Mind resending the patch to JCH> the list, just to make sure nobody else sees any problems with it? Hello, Thanks for your reply and here is the patch, with its commit message and the extra notes about it, as it was sent initially. As you can see, it's a pretty trivial change, I'm mostly just puzzled how did it go unnoticed since ~4 years and was afraid I could be missing something, but it finally seems like my use case, i.e. calling git-fetch in shared repositories, is just much more rare than I thought. Thanks in advance for looking at this! VZ ---------------------------------- >8 -------------------------------------- From: Vadim Zeitlin <vz-git@zeitlins.org> Subject: [PATCH] fetch: allow running as different users in shared repositories The function fopen_for_writing(), which was added in 79d7582e32 (commit: allow editing the commit message even in shared repos, 2016-01-06) and used for overwriting FETCH_HEAD since ea56518dfe (Handle more file writes correctly in shared repos, 2016-01-11), didn't do it correctly in shared repositories under Linux. This happened because in this situation the file FETCH_HEAD has mode 644 and attempting to overwrite it when running git-fetch under an account different from the one that was had originally created it, failed with EACCES, and not EPERM. However fopen_for_writing() only checked for the latter, and not the former, so it didn't even try removing the existing file and recreating it, as it was supposed to do. Fix this by checking for either EACCES or EPERM. The latter doesn't seem to be ever returned in a typical situation by open(2) under Linux, but keep checking for it as it is presumably returned under some other platform, although it's not really clear where does this happen. Signed-off-by: Vadim Zeitlin <vz-git@zeitlins.org> --- I couldn't find any system that would return EPERM for a "normal" permissions denied error, so maybe it's not worth checking for it, but I wanted to minimize the number of changes to the existing behaviour. At the very least, testing for EACCES is definitely necessary under Linux, where openat(2) returns it, and not EPERM, in the situation described above, i.e. non-writable file (even if it's in a writable directory, allowing to unlink it without problems). --- wrapper.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wrapper.c b/wrapper.c index e1eaef2e16..f5607241da 100644 --- a/wrapper.c +++ b/wrapper.c @@ -373,11 +373,12 @@ FILE *fopen_for_writing(const char *path) { FILE *ret = fopen(path, "w"); - if (!ret && errno == EPERM) { + if (!ret && (errno == EACCES || errno == EPERM)) { + int open_error = errno; if (!unlink(path)) ret = fopen(path, "w"); else - errno = EPERM; + errno = open_error; } return ret; } -- 2.26.0.rc2 [-- Attachment #2: Type: APPLICATION/PGP-SIGNATURE, Size: 196 bytes --]
Vadim Zeitlin <vz-git@zeitlins.org> writes: > From: Vadim Zeitlin <vz-git@zeitlins.org> > Subject: [PATCH] fetch: allow running as different users in shared repositories This pretends the change to affect ONLY "git fetch", but ... > The function fopen_for_writing(), which was added in 79d7582e32 (commit: > allow editing the commit message even in shared repos, 2016-01-06) and > used for overwriting FETCH_HEAD since ea56518dfe (Handle more file > writes correctly in shared repos, 2016-01-11), didn't do it correctly in > shared repositories under Linux. ... fopen_for_writing() is not only about FETCH_HEAD. In fact, the author of this patch knows "git fetch" was not the primary target. So, we need to make sure that (1) this change is beneficial to those other codepaths that use the helper function, and (2) describe the (good) effect of the patch on these other users in the log message. We also need to retitle the commit. Hits from "git grep fopen_for_writing" are builtin/commit.c:812: s->fp = fopen_for_writing(git_path_commit_editmsg()); That's .git/COMMIT_EDITMSG file. builtin/fast-export.c:1049: f = fopen_for_writing(file); This is inside export_marks() to create the marks file. builtin/fetch.c:1191: FILE *fp = fopen_for_writing(filename); This is the .git/FETCH_HEAD. > This happened because in this situation the file FETCH_HEAD has mode 644 > and attempting to overwrite it when running git-fetch under an account > different from the one that was had originally created it, failed with > EACCES, and not EPERM. Isn't that because FETCH_HEAD and others are not concluded with adjust_shared_perm()? The fopen_for_writing() that removes and recreates the target file sounds like a band-aid to me. The right fix we should have done when we did 79d7582e (commit: allow editing the commit message even in shared repos, 2016-01-06) would have been to open(2) with 0666 (and let the umask(2) adjust it), and then use adjust_shared_perm() to give it the desired protection bits. With the existing band-aid, we won't be able to fix incorrectly created append-only files, for example, as the band-aid depends on the contents in the existing file being expendable. Having said all that, I agree that EACCES is the right errno to detect for this band-aid, at least for FETCH_HEAD. I think COMMIT_EDITMSG is also left after "git commit" finishes, so it will share the same issue with FETCH_HEAD and the same fix should apply (this is just a hint for you to write an updated proposed log message for the patch). I haven't looked at or analysed how fast-export will get affected. I think it is used to create and leave a "marks" file, to be later read by another instance of the fast-export process, which may (or may not) further write new contents to the (same?) "marks" file, but I do not know the ramifications of unlinking and recreating. In any case, even if that is broken, it is not a new breakage this patch is introducing. You may want to look at it further to make sure you are not breaking things, though. So, here are the things I would like to see in this area: - The same patch text, but with updated commit log message, to tell readers that we have looked at all the callers that are affected, and retitle it (e.g. "fopen_for_writing: detect the reason why fopen() failed correctly" or something like that, perhaps?). - Audit other codepaths that create .git/ALL_CAPS_FILE (e.g. I see that "git branch --edit-description" creates a temporary file to edit without fopen_for_writing() band-aid and it does not use adjust_shared_perm(), but I think it should) and fix them. - The existing repositories have these files created and left whose permission bits were set according to the then-current umask without taking "core.sharedrepository" into account, so we have to keep the "if unable to open for writing, unlink and recreate" trick to salvage them. But it does not mean we need to keep creating the files with wrong mode. Update fopen_for_writing() and its users to leave the file created in the right mode by calling adjust_shared_perm(). I think fopen_for_writing() should switch from calling fopen(3) to calling open(2) and then fdopen(3) on the result as the first step. The first one is better done by you to tie the loose ends for this discussion. Other two items do not have to be done by you. Anybody interested can do them as a clean-up (only if people agree that it is a good idea to do so---so I won't mark this as a left-over-bits yet). Thanks. > diff --git a/wrapper.c b/wrapper.c > index e1eaef2e16..f5607241da 100644 > --- a/wrapper.c > +++ b/wrapper.c > @@ -373,11 +373,12 @@ FILE *fopen_for_writing(const char *path) > { > FILE *ret = fopen(path, "w"); > > - if (!ret && errno == EPERM) { > + if (!ret && (errno == EACCES || errno == EPERM)) { > + int open_error = errno; > if (!unlink(path)) > ret = fopen(path, "w"); > else > - errno = EPERM; > + errno = open_error; > } > return ret; > }
On Mon, 04 May 2020 13:39:55 -0700 Junio C Hamano <gitster@pobox.com> wrote: JCH> Vadim Zeitlin <vz-git@zeitlins.org> writes: JCH> JCH> > From: Vadim Zeitlin <vz-git@zeitlins.org> JCH> > Subject: [PATCH] fetch: allow running as different users in shared repositories Thanks for looking at this! JCH> This pretends the change to affect ONLY "git fetch", but ... JCH> JCH> > The function fopen_for_writing(), which was added in 79d7582e32 (commit: JCH> > allow editing the commit message even in shared repos, 2016-01-06) and JCH> > used for overwriting FETCH_HEAD since ea56518dfe (Handle more file JCH> > writes correctly in shared repos, 2016-01-11), didn't do it correctly in JCH> > shared repositories under Linux. JCH> JCH> ... fopen_for_writing() is not only about FETCH_HEAD. In fact, the JCH> author of this patch knows "git fetch" was not the primary target. Right, sorry, I should have been more precise. FWIW I did look at the other uses of this function, but I didn't think to mention this because I only checked that the change was not going to break the other users of this function: as all of them need a "write-only" file and just die in case of an error, recreating it and returning successfully couldn't possibly make things worse. JCH> So, we need to make sure that (1) this change is beneficial to those JCH> other codepaths that use the helper function, and (2) describe the JCH> (good) effect of the patch on these other users in the log message. JCH> We also need to retitle the commit. OK, will do. JCH> > This happened because in this situation the file FETCH_HEAD has mode 644 JCH> > and attempting to overwrite it when running git-fetch under an account JCH> > different from the one that was had originally created it, failed with JCH> > EACCES, and not EPERM. JCH> JCH> Isn't that because FETCH_HEAD and others are not concluded with JCH> adjust_shared_perm()? I didn't know about this function, but looking at its uses elsewhere, it seems indeed clear that it should be used here too. JCH> The fopen_for_writing() that removes and recreates the target file JCH> sounds like a band-aid to me. Definitely. I wondered how did we end up in a situation in which it became necessary to do it, but didn't find the answer quickly and abandoned trying to understand it. JCH> The right fix we should have done when we did 79d7582e (commit: allow JCH> editing the commit message even in shared repos, 2016-01-06) would JCH> have been to open(2) with 0666 (and let the umask(2) adjust it), and JCH> then use adjust_shared_perm() to give it the desired protection bits. JCH> With the existing band-aid, we won't be able to fix incorrectly JCH> created append-only files, for example, as the band-aid depends on the JCH> contents in the existing file being expendable. Just to reiterate what you already know, right now the band-aid is only used for expendable files, as indicated rather clearly by the name of fopen_for_writing() function, so there is no real problem here, per se, it's just a bit ugly. JCH> I haven't looked at or analysed how fast-export will get affected. JCH> I think it is used to create and leave a "marks" file, to be later JCH> read by another instance of the fast-export process, which may (or JCH> may not) further write new contents to the (same?) "marks" file, but JCH> I do not know the ramifications of unlinking and recreating. In any JCH> case, even if that is broken, it is not a new breakage this patch is JCH> introducing. You may want to look at it further to make sure you JCH> are not breaking things, though. OK, I will do it. But I also think that, in principle, you could imagine a scenario in which the behaviour could change in case of multiple concurrently running processes, e.g. if the group of the directory changed while they're running. I'm pretty sure it shouldn't be a realistic problem in practice, however, but I'll re-check it more carefully. JCH> So, here are the things I would like to see in this area: JCH> JCH> - The same patch text, but with updated commit log message, to tell JCH> readers that we have looked at all the callers that are affected, JCH> and retitle it (e.g. "fopen_for_writing: detect the reason why fopen() JCH> failed correctly" or something like that, perhaps?). OK, I'll do this. JCH> - Audit other codepaths that create .git/ALL_CAPS_FILE (e.g. I see JCH> that "git branch --edit-description" creates a temporary file to JCH> edit without fopen_for_writing() band-aid and it does not use JCH> adjust_shared_perm(), but I think it should) and fix them. This seems a bit more difficult. Do you have any hints about how could all such places be found effectively? JCH> - The existing repositories have these files created and left whose JCH> permission bits were set according to the then-current umask JCH> without taking "core.sharedrepository" into account, so we have JCH> to keep the "if unable to open for writing, unlink and recreate" JCH> trick to salvage them. But it does not mean we need to keep JCH> creating the files with wrong mode. Update fopen_for_writing() JCH> and its users to leave the file created in the right mode by JCH> calling adjust_shared_perm(). I think fopen_for_writing() should JCH> switch from calling fopen(3) to calling open(2) and then fdopen(3) JCH> on the result as the first step. Sorry, I'm not sure I follow you here. Do you want to use fchmod() here instead of just calling adjust_shared_perm()? I.e. what is the problem with using fopen()? JCH> The first one is better done by you to tie the loose ends for this JCH> discussion. I'll repost the patch after re-checking its effect on fast-export (assuming I don't find anything wrong). JCH> Other two items do not have to be done by you. Anybody interested JCH> can do them as a clean-up (only if people agree that it is a good JCH> idea to do so---so I won't mark this as a left-over-bits yet). FWIW this does seem like a good idea to me, but it's also going to be much less trivial than my patch and I'm not sure I can find the time needed to make these changes and test them in the immediate future, so even though I'll try to do it, please don't count on me. Thanks again for your review, VZ