On Wed, Apr 27, 2022 at 10:17 PM Junio C Hamano <gitster@xxxxxxxxx> wrote: > Carlo Marcelo Arenas Belón <carenas@xxxxxxxxx> writes: > > diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt > > index 6d764fe0ccf..67f8ef5d766 100644 > > --- a/Documentation/config/safe.txt > > +++ b/Documentation/config/safe.txt > > @@ -26,3 +26,11 @@ directory was listed in the `safe.directory` list. If `safe.directory=*` > > is set in system config and you want to re-enable this protection, then > > initialize your list with an empty value before listing the repositories > > that you deem safe. > > ++ > > +When git tries to check for ownership of git repositories it will obviously > > Comma before "it will obviously". Obviously my whole paragraph could be improved further, do you want a reroll with this fix, or would instead fixup locally? > > +use the user that is being used to run git itself, but if git is running "use the user that is being used", is something my high school grammar teacher would label as a "cacophony", so feel free to provide an alternative as well there. > > +as root, it will first check if it might had been started through `sudo`, > > +and if that is the case, will use the user id that invoked sudo instead. > > This raises a design question. In a repository is owned by root, > shouldn't "sudo git describe" work? IOW, I am wondering if the > "instead" at the end of the description is what we want, or if we > want to check both the original user and "root". I think it makes sense to have both, and your implementation below seems like a good way to do it but it might not be as safe as it seems, since sometimes directories owned by root might be also world writable and therefore not necessarily safe. This is obviously not directly related to this code, but the original issue as reported in Windows for the original CVE could be traced back to the default policy to allow any authenticated user to write in the root directory. Carlo
