From 18b50a7e0e92e4d710472b3537a025df5f581141 Mon Sep 17 00:00:00 2001
From: Wolfgang Müller
Date: Mon, 19 Jul 2021 14:33:44 +0200
Subject: git-init-shared: Allow adding users to ACLs subsequently

git-init(1) allows users to safely reinitialize a git repository. This
is useful, for example, if new permissions are set with --shared.

This commit adds similar functionality to git-init-shared(1) by not only
setting the right ACLs on the toplevel directory (and relying on ACL
inheritance through the default entry), but also making sure that the
correct rights are set for all files that already exist in the
repository.

Where before a user had to run the right 'setfacl' invocation themselves
to add a new user to the access lists, now the same is possible by
simply invoking git-init-shared(1) again with the right user. For
example, the following invocation adds access to both 'foo' and 'bar':

	git init-shared repo/ foo
	git init-shared repo/ bar
---
 git-init-shared | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/git-init-shared b/git-init-shared
index ea18234..c06f418 100755
--- a/git-init-shared
+++ b/git-init-shared
@@ -7,16 +7,29 @@ usage() {
 	exit 1
 }
 
+acl_mask() {
+	# Set the ACL mask for the directory. The default mask will be inherited by
+	# new directories and files (where it will correctly be set to rw-)
+	setfacl -m "d:m:rwx" "$1"
+	setfacl -m "m:rwx" "$1"
+}
+
 add_to_acl() {
-	setfacl -m "d:u:$2:rwx" "$1"
-	setfacl -m "u:$2:rwx" "$1"
+	# Recursively apply all necessary ACL settings as we may be reinitializing
+	# the git repository with additional authorised users.
+	# Take care *not* to recalculate the ACL mask (-n), since rwX translates to
+	# a mask of rwx even on non-directory files.
+	setfacl -Rnm "d:u:$2:rwX" "$1"
+	setfacl -Rnm "u:$2:rwX" "$1"
 }
 
 test $# -ge 1 || usage
 dir=$1
 shift
 
-mkdir "$dir"
+mkdir -p "$dir"
+
+acl_mask "$dir"
 
 for user in "$(id -un)" "$@"; do
 	add_to_acl "$dir" "$user"
-- 
cgit v1.2.3-2-gb3c3