* safe.directory warnings for root-owned repositories
@ 2024-10-31 4:23 Michael Orlitzky
2024-10-31 5:38 ` Caleb White
0 siblings, 1 reply; 4+ messages in thread
From: Michael Orlitzky @ 2024-10-31 4:23 UTC (permalink / raw)
To: git
If I create a new repository as root,
$ sudo git init
Initialized empty Git repository in /home/mjo/tmp/.git/
$ ls -alh
total 12K
drwxr-xr-x 3 mjo mjo 4.0K 2024-10-31 00:09 .
drwxr-x--- 17 mjo mjo 4.0K 2024-10-31 00:07 ..
drwxr-xr-x 6 root root 4.0K 2024-10-31 00:09 .git
and attempt to do anything in it, I get a safe.directory warning:
$ git status
fatal: detected dubious ownership in repository at '/home/mjo/tmp'
...
Does that make sense? In terms of ownership, root:root is as safe as
it gets.
I'm aware that safe.directory is only scratching the surface of these
"doing things in a directory that someone else can write to" exploits,
but within the limited scope of this one feature, root ownership does
not strike me as particularly dubious.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: safe.directory warnings for root-owned repositories
2024-10-31 4:23 safe.directory warnings for root-owned repositories Michael Orlitzky
@ 2024-10-31 5:38 ` Caleb White
2024-10-31 12:15 ` Michael Orlitzky
0 siblings, 1 reply; 4+ messages in thread
From: Caleb White @ 2024-10-31 5:38 UTC (permalink / raw)
To: Michael Orlitzky, git
On Wed Oct 30, 2024 at 11:23 PM CDT, Michael Orlitzky wrote:
> If I create a new repository as root,
>
> $ sudo git init
> Initialized empty Git repository in /home/mjo/tmp/.git/
>
> $ ls -alh
> total 12K
> drwxr-xr-x 3 mjo mjo 4.0K 2024-10-31 00:09 .
> drwxr-x--- 17 mjo mjo 4.0K 2024-10-31 00:07 ..
> drwxr-xr-x 6 root root 4.0K 2024-10-31 00:09 .git
>
> and attempt to do anything in it, I get a safe.directory warning:
>
> $ git status
> fatal: detected dubious ownership in repository at '/home/mjo/tmp'
> ...
>
> Does that make sense? In terms of ownership, root:root is as safe as
> it gets.
>
> I'm aware that safe.directory is only scratching the surface of these
> "doing things in a directory that someone else can write to" exploits,
> but within the limited scope of this one feature, root ownership does
> not strike me as particularly dubious.
The dubious ownership check simply reports that the directory is owned by
someone other than the user running the command, with no special handling
for the root user. While the error might not make the most sense in this
context, I'm not sure that it's worth special-casing the root user
(really the user with id = 0 as it might not be named `root`) in the
implementation.
Why would you initialize a repository as `root` in the first place?
Best,
Caleb
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: safe.directory warnings for root-owned repositories
2024-10-31 5:38 ` Caleb White
@ 2024-10-31 12:15 ` Michael Orlitzky
2024-10-31 20:04 ` Taylor Blau
0 siblings, 1 reply; 4+ messages in thread
From: Michael Orlitzky @ 2024-10-31 12:15 UTC (permalink / raw)
To: Caleb White; +Cc: git
On 2024-10-31 05:38:00, Caleb White wrote:
>
> The dubious ownership check simply reports that the directory is owned by
> someone other than the user running the command, with no special handling
> for the root user. While the error might not make the most sense in this
> context, I'm not sure that it's worth special-casing the root user
> (really the user with id = 0 as it might not be named `root`) in the
> implementation.
>
> Why would you initialize a repository as `root` in the first place?
To avoid the dubious ownership warning, obviously :)
These are shared repositories that I and my coworkers push to over
SSH. Write access is granted via ACLs, with ownership being mostly
irrelevant. (This is still "unsafe," but not for the stated reason.)
I don't necessarily have a problem with adding O(m*n) safe.directory
entries, but every once in a while someone will ask me about it, and I
don't have a good answer for why it's not safe to push to a repository
that's owned by root. I guess it's just more annoying to have to
override the warning when the warning is wrong. Though if it was
changed to "dubious repository writability," I wouldn't be able to
complain any more.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: safe.directory warnings for root-owned repositories
2024-10-31 12:15 ` Michael Orlitzky
@ 2024-10-31 20:04 ` Taylor Blau
0 siblings, 0 replies; 4+ messages in thread
From: Taylor Blau @ 2024-10-31 20:04 UTC (permalink / raw)
To: Michael Orlitzky; +Cc: Caleb White, git
On Thu, Oct 31, 2024 at 08:15:24AM -0400, Michael Orlitzky wrote:
> On 2024-10-31 05:38:00, Caleb White wrote:
> >
> > The dubious ownership check simply reports that the directory is owned by
> > someone other than the user running the command, with no special handling
> > for the root user. While the error might not make the most sense in this
> > context, I'm not sure that it's worth special-casing the root user
> > (really the user with id = 0 as it might not be named `root`) in the
> > implementation.
> >
> > Why would you initialize a repository as `root` in the first place?
>
> To avoid the dubious ownership warning, obviously :)
If you want to avoid the warning entirely, you can set 'safe.directory'
to "*" at the global level, and that will opt-out of the check entirely.
Of course, you should consult that portion of the git-config(1) manual
page to understand the implications of doing so, but it is something
that Git supports doing.
Thanks,
Taylor
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-31 20:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-31 4:23 safe.directory warnings for root-owned repositories Michael Orlitzky
2024-10-31 5:38 ` Caleb White
2024-10-31 12:15 ` Michael Orlitzky
2024-10-31 20:04 ` Taylor Blau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).