ACL permissions not inherited on repository folders

Summary

GitLab CE in Docker does not inherit ACL permission when creating new repositories. 2770 is not enough to enable write, the correct ACL permissions must also be set. However even if ACL is set correctly (recursively) for the repositories folder, newly created repositories will overwrite the inherited permissions - preventing writes.

Steps to reproduce

  1. Install GitLab CE in Docker (tested on Synology device).
  2. Use setfacl or synoacltool to set permissions to 2770 and to give Docker write permissions (in DSM you need to give owner and system full access recursively).
  3. Create a new repository via GitLab web interface.
  4. Check permissions of the repository, it is 2770 but missing the ACL permissions.
  5. Try pushing to the repository - it fails.

What is the current bug behavior?

New repositories cannot be pushed to, until the permissions are updated manually.

What is the expected correct behavior?

It should be possible to push to new repositories without first manually editing repo folder permissions.

Relevant logs and/or screenshots

remote: error: insufficient permission for adding an object to repository database /var/opt/gitlab/git-data/repositories/Test/test.git/./objects/incoming-SFgTA1
remote: fatal: failed to write object
error: unpack failed: unpack-objects abnormal exit
To ssh://foobar.com:12345/Test/test.git
 ! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'ssh://git@foobar.com:12345/Test/test.git'

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:
Current User:	git
Using RVM:	no
Ruby Version:	2.4.5p335
Gem Version:	2.7.6
Bundler Version:1.16.2
Rake Version:	12.3.1
Redis Version:	3.2.12
Git Version:	2.18.1
Sidekiq Version:5.2.1
Go Version:	unknown


GitLab information
Version:	11.4.5
Revision:	f5536c6
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
URL:		https://foobar.com:1234
HTTP Clone URL:	https://foobar.com:1234/some-group/some-project.git
SSH Clone URL:	ssh://git@foobar.com:12345/some-group/some-project.git
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers:


GitLab Shell
Version:	8.3.3
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab Shell ...


GitLab Shell version >= 8.3.3 ? ... OK (8.3.3)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
7/9 ... wrong or missing hooks
Try fixing it:
sudo -u git -H /opt/gitlab/embedded/service/gitlab-shell/bin/create-hooks /var/opt/gitlab/git-data/repositories
Check the hooks_path in config/gitlab.yml
Check your gitlab-shell installation
For more information see:
doc/install/installation.md in section "GitLab Shell"
Please fix the error above and rerun the checks.
5/11 ... repository is empty
5/12 ... repository is empty
5/13 ... repository is empty
5/16 ... repository is empty
2/17 ... wrong or missing hooks
Try fixing it:
sudo -u git -H /opt/gitlab/embedded/service/gitlab-shell/bin/create-hooks /var/opt/gitlab/git-data/repositories
Check the hooks_path in config/gitlab.yml
Check your gitlab-shell installation
For more information see:
doc/install/installation.md in section "GitLab Shell"
Please fix the error above and rerun the checks.
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Reply by email is disabled in config/gitlab.yml
Checking LDAP ...


LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
7/9 ... yes
5/11 ... yes
5/12 ... yes
5/13 ... yes
5/16 ... yes
2/17 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.4.5)
Git version >= 2.9.5 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 2


Checking GitLab ... Finished

Possible fixes

Add a script to update ACL permissions of a repository on directory creation.