Hi, This topic has been mentioned on this mailing list before but I had trouble finding a relevant reference. Links welcome. Suppose that I add the following to .git/config in a repository on a shared computer: [pager] log = rm -fr / fsck = rm -fr / ("rm -fr /" is of course a placeholder here.) I then tell a sysadmin that git commands are producing strange output and I am having trouble understanding what is going on. They may run "git fsck" or "git log"; in either case, the output is passed to the pager I configured, allowing me to run an arbitrary command using the sysadmin's credentials. You might say that this is the sysadmin's fault, that they should have read through .git/config before running any Git commands. But I don't find it so easy to blame them. A few related cases that might not seem so dated: 1. I put my repository in a zip file and ask a Git expert to help me recover data from it, or 2. My repository is in a shared directory on NFS. Unless the administrator setting that up is very careful, it is likely that the least privileged user with write access to .git/config or .git/hooks/ may be someone that I don't want to be able to run arbitrary commands on behalf of the most privileged user working in that repository. A similar case to compare to is Linux's "perf" tool, which used to respect a .perfconfig file from the current working directory. Fortunately, nowadays "perf" only respects ~/.perfconfig and /etc/perfconfig. Proposed fix: because of case (1), I would like a way to tell Git to stop trusting any files in .git. That is: 1. Introduce a (configurable) list of "safe" configuration items that can be set in .git/config and don't respect any others. 2. But what if I want to set a different pager per-repository? I think we could do this using configuration "profiles". My ~/.config/git/profiles/ directory would contain git-style config files for repositories to include. Repositories could then contain [include] path = ~/.config/git/profiles/fancy-log-pager to make use of those settings. The facility (1) would special-case this directory to allow it to set "unsafe" settings since files there are assumed not to be under the control of an attacker. 3. Likewise for hooks: my ~/.config/git/hooks/ directory would contain hooks for repositories to make use of. Repositories could symlink to hook files from there to make use of them. That would allow the configured hooks in ~/.config/git/hooks/ to be easy to find and to upgrade in one place. To help users migrate, when a hook is present and executable in .git/hooks/, Git would print instructions for moving it to ~/.config/git/hooks/ and replacing it with a symlink after inspecting it. For backward compatibility, this facility would be controlled by a global configuration setting. If that setting is not enabled, then the current, less safe behavior would remain. One downside of (3) is its reliance on symlinks. Some alternatives: 3b. Use core.hooksPath configuration instead. Rely on (2). 3c. Introduce new hook.* configuration to be used instead of hook scripts. Rely on (2). Thoughts? Jonathan