-
Notifications
You must be signed in to change notification settings - Fork 25.6k
Commit
It poses a security risk to search for a git directory outside of the directories owned by the current user. For example, it is common e.g. in computer pools of educational institutes to have a "scratch" space: a mounted disk with plenty of space that is regularly swiped where any authenticated user can create a directory to do their work. Merely navigating to such a space with a Git-enabled `PS1` when there is a maliciously-crafted `/scratch/.git/` can lead to a compromised account. The same holds true in multi-user setups running Windows, as `C:\` is writable to every authenticated user by default. To plug this vulnerability, we stop Git from accepting top-level directories owned by someone other than the current user. We avoid looking at the ownership of each and every directories between the current and the top-level one (if there are any between) to avoid introducing a performance bottleneck. This new default behavior is obviously incompatible with the concept of shared repositories, where we expect the top-level directory to be owned by only one of its legitimate users. To re-enable that use case, we add support for adding exceptions from the new default behavior via the config setting `safe.directory`. The `safe.directory` config setting is only respected in the system and global configs, not from repository configs or via the command-line, and can have multiple values to allow for multiple shared repositories. We are particularly careful to provide a helpful message to any user trying to use a shared repository. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
safe.directory:: | ||
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
Sorry, something went wrong.
dscho
Author
Member
|
||
These config entries specify Git-tracked directories that are | ||
considered safe even if they are owned by someone other than the | ||
current user. By default, Git will refuse to even parse a Git | ||
config of a repository owned by someone else, let alone run its | ||
hooks, and this config setting allows users to specify exceptions, | ||
e.g. for intentionally shared repositories (see the `--shared` | ||
option in linkgit:git-init[1]). | ||
+ | ||
This is a multi-valued setting, i.e. you can add more than one directory | ||
via `git config --add`. To reset the list of safe directories (e.g. to | ||
override any such directories specified in the system config), add a | ||
`safe.directory` entry with an empty value. | ||
+ | ||
This config setting is only respected when specified in a system or global | ||
config, not when it is specified in a repository config or via the command | ||
line option `-c safe.directory=<path>`. | ||
+ | ||
The value of this setting is interpolated, i.e. `~/<path>` expands to a | ||
path relative to the home directory and `%(prefix)/<path>` expands to a | ||
path relative to Git's (runtime) prefix. |
...but not particularly careful to make sure the
safe.directory
option actually works (it doesn't on Linux) or the fix in general doesn't breaksudo {make,ninja} install
in previously working build systems.