From: John Heidemann <johnh@isi.edu>
To: git@vger.kernel.org
Subject: dubious permissions on shared repositorys as of 2.45.1
Date: Fri, 24 May 2024 10:00:31 -0700 [thread overview]
Message-ID: <924426.1716570031@dash.ant.isi.edu> (raw)
Since upgrading to git-core-2.45.1-1.fc39 (in Fedora 39),
pushing to a remote server (so one is on another computer,
in a copy shecked out with
ssh://server.example.com/home/commonuser/bare_repo.git )
where the repo is shared (core.sharedRepo 1)
and owned by someone else (say, the user is "me", but the directory is
owned by "originalauthor") throws the error:
fatal: detected dubious ownership in repository at '/home/commonuser/bare_repo.git'
To add an exception for this directory, call:
git config --global --add safe.directory /home/commonuser/bare_repo.git
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
On one hand, this message is correct:
the directory IS owned by someone else ("originalauthor", not "me").
And the suggested fix works, when it is run on the server.
But this error is new... it didn't happen last week, when the server was
running, I think git-core-2.44.1-1.fc39. It definitely didn't happen
with the git that shipped with Fedora 39, which was git-core-2.41.0-2.fc39
And since it's a shared repo (the server side git is config'ed
core.sharedRepo 1), we *intend* to have multiple people writing it,
using unix accounts and groups for access control.
Because multiple people write to it cannot be the case that all users
own the git repo on the server. That's the intended behavior!
But now, to push to it, each user has to run the safe.directory config
(a new requirement).
To make matters worse, they have to run it on the server (not just
their laptop, since there they are already owner of all the files and
directories). It's not very obvious where one should run it. (Most
other server-side messages, such as those from hooks on the server,
have the prefix "remote:" on the client.)
I suspect this problem occurs for my use case and not for other people
because often git users pushing to a remote repo push to a single user
(say, gitlab or gitea or something) and use ssh to map from the
client-side user to the common user. In this case, the remote git repo
is owned by one userid, and is probably not marked core.sharedRepo).
I suggest that the check for "does user own the repo directory" be
skipped if the repo is marked core.sharedRepo.
I suggest this is a bug and not just tigher security because (a) this
warning is new. I think since 2.44.) and (b) how else is a sharedRepo
supposed to work?!?
If you disagree and want to keep the current behavior, it would be great
if the warning message could indicate it needs to run on the remote
side.
(I tried looking at diff from 2.44.1 vs. 2.45.1, and from 2.41.1
vs. 2.45.1. I found the checks for "dubious ownership", but it was not
obvious what had changed.)
Thanks,
-John Heidemann
reply other threads:[~2024-05-24 17:06 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=924426.1716570031@dash.ant.isi.edu \
--to=johnh@isi.edu \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).