Hi Florian
On 26/06/2024 13:33, Florian Schmaus wrote:
Sometimes more flexibility to disable/ignore the ownership check, besides
the safe.directory configuration option, is required.
For example, git-daemon running as nobody user, which typically has no
home directory. Therefore, we can not add the path to a user-global
configuration and adding the path to the system-wide configuration could
have negative security implications.
Therefore, make the check configurable via an environment variable.
An alternative would be to allow safe.directory to be specified on the
command line with "git -c safe.directory='*' daemon ..." rather than
adding a dedicated environment variable. Or you could set $HOME to a
suitable directory when running "git daemon" and put the user-global
config file there. That directory and config file only need to be
readable by the user that "git daemon" is running under it can be owned
by root or whoever else you want.
Best Wishes
Phillip
If the environment variable GIT_IGNORE_INSECURE_OWNER is set to true,
then ignore potentially insecure ownership of git-related path
components.
Signed-off-by: Florian Schmaus <flo@xxxxxxxxxxxx>
---
setup.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/setup.c b/setup.c
index 3afa6fb09b28..da3f504fb536 100644
--- a/setup.c
+++ b/setup.c
@@ -1278,6 +1278,14 @@ static int ensure_valid_ownership(const char *gitfile,
*/
git_protected_config(safe_directory_cb, &data);
+ if (data.is_safe)
+ return data.is_safe;
+
+ if (git_env_bool("GIT_IGNORE_INSECURE_OWNER", 0)) {
+ warning("ignoring dubious ownership in repository at '%s' (GIT_IGNORE_INSECURE_OWNER set)", data.path);
+ return 1;
+ }
+
return data.is_safe;
}
