From: Florian Schmaus <flo@geekplace.eu>
To: git@vger.kernel.org
Cc: Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Junio C Hamano <gitster@pobox.com>,
Florian Schmaus <flo@geekplace.eu>
Subject: [PATCH] setup: support GIT_IGNORE_INSECURE_OWNER environment variable
Date: Wed, 26 Jun 2024 14:33:58 +0200 [thread overview]
Message-ID: <20240626123358.420292-2-flo@geekplace.eu> (raw)
In-Reply-To: <20240626123358.420292-1-flo@geekplace.eu>
Sometimes more flexibility to disable/ignore the ownership check, besides
the safe.directory configuration option, is required.
For example, git-daemon running as nobody user, which typically has no
home directory. Therefore, we can not add the path to a user-global
configuration and adding the path to the system-wide configuration could
have negative security implications.
Therefore, make the check configurable via an environment variable.
If the environment variable GIT_IGNORE_INSECURE_OWNER is set to true,
then ignore potentially insecure ownership of git-related path
components.
Signed-off-by: Florian Schmaus <flo@geekplace.eu>
---
setup.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/setup.c b/setup.c
index 3afa6fb09b28..da3f504fb536 100644
--- a/setup.c
+++ b/setup.c
@@ -1278,6 +1278,14 @@ static int ensure_valid_ownership(const char *gitfile,
*/
git_protected_config(safe_directory_cb, &data);
+ if (data.is_safe)
+ return data.is_safe;
+
+ if (git_env_bool("GIT_IGNORE_INSECURE_OWNER", 0)) {
+ warning("ignoring dubious ownership in repository at '%s' (GIT_IGNORE_INSECURE_OWNER set)", data.path);
+ return 1;
+ }
+
return data.is_safe;
}
--
2.44.2
next prev parent reply other threads:[~2024-06-26 12:34 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-26 12:33 [PATCH 0/1] support GIT_IGNORE_INSECURE_OWNER environment variable Florian Schmaus
2024-06-26 12:33 ` Florian Schmaus [this message]
2024-06-26 13:11 ` [PATCH] setup: " Phillip Wood
2024-06-26 15:19 ` rsbecker
2024-06-26 18:38 ` phillip.wood123
2024-06-26 15:26 ` Phillip Wood
2024-06-26 18:11 ` Junio C Hamano
2024-06-26 19:06 ` Florian Schmaus
2024-06-26 20:37 ` Jeff King
2024-06-27 9:50 ` Phillip Wood
2024-06-27 15:28 ` Junio C Hamano
2024-06-28 9:35 ` Phillip Wood
2024-06-28 16:48 ` Junio C Hamano
2024-07-01 15:24 ` Phillip Wood
2024-07-01 17:32 ` Junio C Hamano
2024-07-01 16:34 ` Johannes Schindelin
2024-07-01 18:19 ` Jeff King
2024-07-01 20:40 ` Junio C Hamano
2024-07-01 22:25 ` Jeff King
2024-07-02 0:19 ` Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240626123358.420292-2-flo@geekplace.eu \
--to=flo@geekplace.eu \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).