git cannot preserve permissions on the secret file

Question

git cannot preserve permissions on the secret file

francisATgwn opened this issue 2 years ago · comments

What are the steps to reproduce this issue?

mkdir test; cd test
git init
git secret init
git secret tell REDACTED
touch password
chmod 600 password
echo REDACTED >password
git secret add password
git secret hide -P

What happens?

stat: cannot read file system information for '%04OLp': No such file or directory
chmod: invalid mode: ‘  File: "/Users/fferrell/tmp/test/password"\n    ID: 10000120000001a Namelen: ?       Type: apfs\nBlock size: 4096       Fundamental block size: 4096\nBlocks: Total: 120699413  Free: 80695380   Available: 80695380\nInodes: Total: 3228701185 Free: 3227815200’
Try 'chmod --help' for more information.

What were you expecting to happen?

The encrypted file would be added and, after removing the password file, executing git secret reveal would restore it with permissions 0600

Any logs, error output, etc?

(If it’s long, please paste to https://ghostbin.com/ and insert the link here.)

Any other comments?

 ~/tmp/test > which stat
/opt/homebrew/opt/coreutils/libexec/gnubin/stat

 ~/tmp/test > stat --version
stat (GNU coreutils) 9.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Michael Meskes.

What versions of software are you using?

Operating system: (uname -a) Darwin fferrell-mac 21.6.0 Darwin Kernel Version 21.6.0: Sat Jun 18 17:05:47 PDT 2022; root:xnu-8020.140.41~1/RELEASE_ARM64_T8101 arm64 arm Darwin

git-secret path: (which git-secret) /opt/homebrew/bin/git-secret

git-secret version: (git secret --version) 0.5.0

git version: (git --version) git version 2.37.1

Shell type and version: ($SHELL --version) zsh 5.8.1 (x86_64-apple-darwin21.0)

gpg version: (gpg --version)

gpg (GnuPG) 2.3.7
libgcrypt 1.10.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/fferrell/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Josh Rabinowitz · Answer 1 · Tue Aug 02 2022 00:06:10 GMT+0800 (China Standard Time)

Thank you for this report. We will investigate and let you know the result.

Josh Rabinowitz · Answer 2 · Mon Aug 08 2022 04:11:25 GMT+0800 (China Standard Time)

I cannot replicate this issue on macOS Big Sur.

This functionality is also automatically tested on github actions with macOS Big Sur version 11.6.7 (20G630).

@francisATgwn Can you please post what macOS version you're using?

Also can you please confirm you're using the stock version of stat by posting the output of which stat?

francisATgwn · Answer 3 · Mon Aug 08 2022 19:35:07 GMT+0800 (China Standard Time)

@joshrabinowitz MacOS 12.5. Please see info about stat above, under Any other comments?

Josh Rabinowitz · Answer 4 · Mon Aug 08 2022 22:17:46 GMT+0800 (China Standard Time)

Ah, I see. git-secret expects OSX's version of stat. I think the fix is for git-secret to always use the OSX provided version of stat on OSX.

Josh Rabinowitz · Answer 5 · Tue Aug 09 2022 02:05:34 GMT+0800 (China Standard Time)

@francisATgwn can you please re-test with the code in PR #920

francisATgwn · Answer 6 · Tue Aug 09 2022 02:49:22 GMT+0800 (China Standard Time)

That does resolve the error message, but it doesn't really seem to preserve permissions very well. Maybe I'm not expecting the right behavior from git secret add -P.

The encrypted file has the same permissions as the secret file. That's not what I want preserved. I would expect that git secret reveal in a collaborator's git clone would produce the same permissions on the untracked, unecrypted file.

After committing the password.secret file (which has permissions 600), I rm password and then git secret reveal and the newly produced password file has permissions 644.

 ~/test > ls
total 8.0K
-rw-r--r-- 1 fferrell staff   9 Aug  8 14:43 password
-rw------- 1 fferrell staff 184 Aug  8 14:43 password.secret

Josh Rabinowitz · Answer 7 · Wed Aug 10 2022 01:43:21 GMT+0800 (China Standard Time)

I believe git only tracks the executable bit of the permissions. git-secret cannot change (reasonably) this behavior in git

francisATgwn · Answer 8 · Wed Aug 10 2022 01:56:07 GMT+0800 (China Standard Time)

Understood, there is nothing git-secret can do to change which permissions that git tracks.

Am I understanding correctly, then, that the intention of the hide -P and reveal -P options are only to preserve the executable permission?

Josh Rabinowitz · Answer 9 · Wed Aug 10 2022 04:15:34 GMT+0800 (China Standard Time)

once the a file takes a round-trip through git, that's all that is preserved.
But the -P options to hide and reveal do change the perms to match the corresponding file on your local system.