Every time I switch a branch and files get replaced, they are not in the chmod they should be (because of my umask). So I've added a post-checkout hook "etckeeper init".
Do I understand it right, that this doesn't do anything but setting the file permissions correctly, as per .etckeeper file?
Saving metadata i.e. file permissions is the primary reason using etckeeper instead of plain git. What would speak against setting that up by default?
/etc/.git/hooks/post-checkout:
#!/bin/sh
# post-checkout hook for etckeeper, to restore metadata
set -e
etckeeper init -d /etc
Such a post-checkout hook makes sense, and yes,
etckeeper init
only restores file permissions when run in an existing repository.Do note that there's a window where files that are supposed to be private may be exposed, depending on your umask, before the permissions are fixed up. So I can't completely recommend doing this. It might be good to make it install a post-checkout hook that both fixes the permissions and warns that what the user is doing is not entirely safe.
Hello. I've just asked a question on stackoverflow about the safe way to do checkouts:
https://security.stackexchange.com/questions/279328/etckeeper-check-out-in-a-safe-way
Would this suffice? I mean, would this prevent exposing sensitive data in /etc?
umask 077
git checkout april_first_joke_etc
etckeeper init
umask 022 # or whatever it was before, or just quit current session