mirror of
https://github.com/git/git.git
synced 2024-05-23 05:36:09 +02:00
8959555cee
It poses a security risk to search for a git directory outside of the directories owned by the current user. For example, it is common e.g. in computer pools of educational institutes to have a "scratch" space: a mounted disk with plenty of space that is regularly swiped where any authenticated user can create a directory to do their work. Merely navigating to such a space with a Git-enabled `PS1` when there is a maliciously-crafted `/scratch/.git/` can lead to a compromised account. The same holds true in multi-user setups running Windows, as `C:\` is writable to every authenticated user by default. To plug this vulnerability, we stop Git from accepting top-level directories owned by someone other than the current user. We avoid looking at the ownership of each and every directories between the current and the top-level one (if there are any between) to avoid introducing a performance bottleneck. This new default behavior is obviously incompatible with the concept of shared repositories, where we expect the top-level directory to be owned by only one of its legitimate users. To re-enable that use case, we add support for adding exceptions from the new default behavior via the config setting `safe.directory`. The `safe.directory` config setting is only respected in the system and global configs, not from repository configs or via the command-line, and can have multiple values to allow for multiple shared repositories. We are particularly careful to provide a helpful message to any user trying to use a shared repository. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
22 lines
1.1 KiB
Plaintext
22 lines
1.1 KiB
Plaintext
safe.directory::
|
|
These config entries specify Git-tracked directories that are
|
|
considered safe even if they are owned by someone other than the
|
|
current user. By default, Git will refuse to even parse a Git
|
|
config of a repository owned by someone else, let alone run its
|
|
hooks, and this config setting allows users to specify exceptions,
|
|
e.g. for intentionally shared repositories (see the `--shared`
|
|
option in linkgit:git-init[1]).
|
|
+
|
|
This is a multi-valued setting, i.e. you can add more than one directory
|
|
via `git config --add`. To reset the list of safe directories (e.g. to
|
|
override any such directories specified in the system config), add a
|
|
`safe.directory` entry with an empty value.
|
|
+
|
|
This config setting is only respected when specified in a system or global
|
|
config, not when it is specified in a repository config or via the command
|
|
line option `-c safe.directory=<path>`.
|
|
+
|
|
The value of this setting is interpolated, i.e. `~/<path>` expands to a
|
|
path relative to the home directory and `%(prefix)/<path>` expands to a
|
|
path relative to Git's (runtime) prefix.
|