From 3914dc0161a21653e927a2d176246bf9dead1a85 Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@atc.tcs.com>
Date: Sat, 2 Oct 2010 05:22:19 +0530
Subject: [PATCH] tighten permissions on install

  - hardcode 0700 mode for GL_ADMINDIR tree (thanks to ma at
    ibitsense.com) for catching this
  - honor REPO_UMASK for GL_REPO_BASE_ABS creation
  - plus a minor doc update
---
 doc/install-transcript.mkd |  4 +++-
 src/gl-install             | 11 ++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/doc/install-transcript.mkd b/doc/install-transcript.mkd
index 71c97d1..1a3bcbc 100644
--- a/doc/install-transcript.mkd
+++ b/doc/install-transcript.mkd
@@ -169,7 +169,9 @@ runs on the client but installs gitolite on the server!
 <font color="red"> **This is the only gitolite specific command in a typical
 install sequence**.  </font> Run it without any arguments to see a usage
 message.  Run it without the `-q` to get a more verbose, pause-at-every-step,
-install mode that allows you to change the defaults etc.
+install mode that allows you to change the defaults (for example, if you want
+a different UMASK setting, or you want the repos to be in a different place,
+etc.)
 
     sita@sita-lt:src $ ./gl-easy-install -q git server sitaram
     you are upgrading     (or installing first-time)     to v0.95-38-gb0ce84d
diff --git a/src/gl-install b/src/gl-install
index db1affc..e941092 100755
--- a/src/gl-install
+++ b/src/gl-install
@@ -5,7 +5,7 @@
 use strict;
 use warnings;
 
-our ($REPO_BASE, $GL_ADMINDIR, $GL_CONF, $GIT_PATH, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $GL_PERFLOGT);
+our ($REPO_BASE, $GL_ADMINDIR, $GL_CONF, $GIT_PATH, $GL_PACKAGE_CONF, $GL_PACKAGE_HOOKS, $GL_PERFLOGT, $REPO_UMASK);
 
 # setup quiet mode if asked; please do not use this when running manually
 open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q');
@@ -15,11 +15,13 @@ open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q');
 sub wrap_mkdir
 {
     my $dir = shift;
+    my $perm = shift;       # optional
     if ( -d $dir ) {
         print "$dir already exists\n";
         return;
     }
     mkdir($dir) or die "mkdir $dir failed: $!\n";
+    chmod $perm, $dir if $perm;
     print "created $dir\n";
 }
 
@@ -49,14 +51,17 @@ die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC};
 # add a custom path for git binaries, if specified
 $ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH;
 
+# set the umask before creating any files/directories
+umask($REPO_UMASK);
+
 # mkdir $REPO_BASE, $GL_ADMINDIR if they don't already exist
 $ENV{GL_REPO_BASE_ABS} = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
 wrap_mkdir($ENV{GL_REPO_BASE_ABS});
-wrap_mkdir($GL_ADMINDIR);
+wrap_mkdir($GL_ADMINDIR, 0700);
 # mkdir $GL_ADMINDIR's subdirs
 for my $dir qw(conf doc keydir logs src hooks hooks/common hooks/gitolite-admin) {
     # some of them will stay empty; too lazy to fix right now ;-)
-    wrap_mkdir("$GL_ADMINDIR/$dir");
+    wrap_mkdir("$GL_ADMINDIR/$dir", 0700);
 }
 
 # "src" and "doc" will be overwritten on each install, but not conf