Skip to content

Fix: disable git's safe.directory handling completely #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 14, 2022
Merged

Fix: disable git's safe.directory handling completely #95

merged 1 commit into from
Jun 14, 2022

Conversation

Ocramius
Copy link
Member

Starting with GIT 2.35.3, GIT disallows operating on directories owned by other users.

This is to prevent hooks from taking over the system, but this container is a single-user
environment, and hooks are generally not configured on checkout anyway.

This container has a different $UID/$GID than the parent worker, which performs git clone.

With this git config change, we ignore this security scenario completely.

Ref: https://stackoverflow.com/questions/71849415/i-cannot-add-the-parent-directory-to-safe-directory-in-git/71904131#71904131

Q A
Documentation no
Bugfix yes
BC Break no
New Feature no
RFC no
QA no

@Ocramius
Fix: disable git's safe.directory handling completely
42ae46d 
Starting with GIT 2.35.3, GIT disallows operating on directories owned by other users.

This is to prevent hooks from taking over the system, but this container is a single-user
environment, and hooks are generally not configured on checkout anyway.

This container has a different $UID/$GID than the parent worker, which performs `git clone`.

With this `git config` change, we ignore this security scenario completely.

Ref: https://stackoverflow.com/questions/71849415/i-cannot-add-the-parent-directory-to-safe-directory-in-git/71904131#71904131
@Ocramius Ocramius added the Bug Something isn't working label Jun 14, 2022
@Ocramius Ocramius added this to the 1.20.1 milestone Jun 14, 2022
@Ocramius Ocramius mentioned this pull request Jun 14, 2022
Merged
@froschdesign
Copy link
Member

Reference: https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory

@Ocramius Ocramius self-assigned this Jun 14, 2022
@Ocramius
Copy link
Member Author

Thanks for the quick review, @froschdesign!

@Ocramius Ocramius merged commit d94b96a into laminas:1.20.x Jun 14, 2022
@Ocramius Ocramius deleted the fix/allow-git-operations-on-untrusted-repositories branch June 14, 2022 08:09
@github-actions github-actions bot mentioned this pull request Jun 14, 2022
Merged
@Ocramius
Copy link
Member Author

This needs to be replicated to operate with testuser. My steps in Dockerfile are applying this change for root 🤦

Ocramius added a commit to Ocramius/laminas-continuous-integration-action that referenced this pull request Jun 14, 2022
@Ocramius
Fix: disable git's safe.directory handling completely (for `testu…
585739f 
…ser`)

This commit repeats 42ae46d ( laminas#95 ),
but this time accounts for the fact that we run our CI operations with the `testuser`
account.
@Ocramius Ocramius mentioned this pull request Jun 14, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@froschdesign froschdesign froschdesign approved these changes

Assignees

@Ocramius Ocramius

Labels
Bug Something isn't working
Projects
None yet
Milestone
1.20.1
Development

Successfully merging this pull request may close these issues.
2 participants
@Ocramius @froschdesign