Dscho, the f4aa8c8b (fetch/clone: detect dubious ownership of local repositories, 2024-04-10) is your brainchild and people seem to be unhappy about having to adjust their settings. Are there any advice you can offer them? Michal Suchánek <msuchanek@xxxxxxx> writes: > On Mon, Jun 17, 2024 at 11:15:13PM +0200, Michal Suchánek wrote: >> Hello, >> >> On Mon, Jun 17, 2024 at 11:47:20AM -0700, Junio C Hamano wrote: >> > "David C. Rankin" <drankinatty@xxxxxxxxx> writes: >> > >> > > Security enhancement in 2.45.1 have broken ability to serve git over >> > > https and ssh from local git server running Apache. (web server runs >> > > as http:http on Archlinux) >> > > >> > > The fix of adding the following to gitconfig (system-wide and >> > > per-user in ~/.gitconfig) does not solve the problem: >> > > >> > > [safe] >> > > directory = * >> > >> > It is not clear what you exactly meant "per-user" above, so just to >> > make sure. Is this set in the global configuration file for the >> > httpd (or whoever Apache runs as) user? >> > >> > The purpose of "dubious ownershop" thing is to protect the user who >> > runs Git from random repositories' with potentially malicious hooks >> > and configuration files, so the user being protected (in this case, >> > whoever Apache runs as) needs to declare "I trust these >> > repositories" in its ~/.gitconfig file. What individual owners of >> > /srv/my-repo.git/ project has in their ~/.gitconfig file does not >> > matter when deciding if Apache trusts these repositories. >> >> >> looks like the semantic of 'dubious ownershop' changed recently. >> >> Disro backport of fixes for CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 >> CVE-2024-32021 CVE-2024-32465 to 2.35.3 broke git-daemon. No amount of >> whitelisting makes the 'fixed' git serve the repository. > > Same regression between 2.45.0 and 2.45.2 which allegedly fixes the > same CVEs. > > Looks like downgrading to gaping hole version is needed to serve repositories > in general. > > Please consider adjusting the fix so that repositories can still be served. > > Thanks > > Michal > > To reproduce: > > cat /usr/local/bin/git-ping > #!/bin/sh -e > > # Try connecting to one or more remote repository URLs > > while true ; do > git ls-remote -h "$1" >/dev/null > shift > [ -n "$1" ] || break > done > > mkdir -p /srv/git/some > chown hramrach /srv/git/some > su hramrach -c "git init --bare /srv/git/some/repo.git" > su hramrach -c "touch /srv/git/some/repo.git/git-daemon-export-ok" > version=2.35.3-150300.10.36.1 ; zypper in --oldpackage git-core-$version git-daemon-$version > systemctl start git-daemon.service > git ping git://localhost/some/repo.git > <nothing> > > version=2.35.3-150300.10.39.1 ; zypper in --oldpackage git-core-$version git-daemon-$version > systemctl restart git-daemon.service > git ping git://localhost/some/repo.git > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > > > systemctl status git-daemon.service > ● git-daemon.service - Git Daemon > Loaded: loaded (/usr/lib/systemd/system/git-daemon.service; disabled; vendor preset: disabled) > Active: active (running) since Thu 2024-06-06 08:29:28 CEST; 6min ago > Main PID: 31742 (git) > Tasks: 2 (limit: 4915) > CGroup: /system.slice/git-daemon.service > ├─ 31742 git daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup > └─ 31749 /usr/lib/git/git-daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup > > Jun 06 08:29:28 localhost.localdomain systemd[1]: Started Git Daemon. > Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: fatal: detected dubious ownership in repository at '/srv/git//some/repo.git' > Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: To add an exception for this directory, call: > Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: git config --global --add safe.directory /srv/git//some/repo.git > > git config --global --add safe.directory /srv/git//some/repo.git > mv ~/.gitconfig /etc/gitconfig > git ping git://localhost/some/repo.git > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists. > > git config --global --add safe.directory /srv/git/some/repo.git > mv ~/.gitconfig /etc/gitconfig > git ping git://localhost/some/repo.git > fatal: Could not read from remote repository. > > Please make sure you have the correct access rights > and the repository exists.
