Hello, Running git 2.48.1 here. I just noticed that if you create a .git file referencing another git repository, the ownership test is only performed on the .git file, not the actual referenced git repository. E.g., put gitdir: /home/usera/gitrepo/.git/worktrees/another in /home/userb/gitrepo/.git Then git running as userb will happily accept usera's git repository (presumably exposing userb to whatever mischief that usera could inflict upon other users that motivated this restriction in the first place). Amusingly, git running as usera will refuse to look at its own repository, which I do believe make the most sense. The presence of the a gitdir reference certifying the trustworthiness of a targeted git repository sounds like it could be an interesting feature, but I would prefer it be explicit, i.e., require the file to contents to be: gitdir: /home/usera/gitrepo/.git/worktrees/another trust-other-user: <username> At a minimum, I think probably more visibility of this behavior is warranted. Best, Antonio Russo
Attachment:
OpenPGP_0x72DB026E04C1C768.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
