Normalize permissions in custom hooks tar archives
In order to better ensure gitaly operations are not modifying repository data in read-only transactions, the read snapshot of all the involved repositories has its permissions set to readonly. This means that RPCs that are intended to generate an archive end up returning a very permission limited archive. So here we change the tar builder used for backing up custom hooks to generate an archive with read/write permissions. These permissions will be restricted by umask on extraction. Similar to how os.Create
uses 0o666
.
Note we could in theory use the stdlib to create this tar file, we already have a stdlib tar builder in internal/gitaly/archive
, but this would require adding symlink support which we are looking to phase out anyway (WAL/transactions do not support symlinks).