Git Repository 限制使用者存取

·

2 min read

起源

四月後新開的 Linux 20.04 的機器,假如有不同使用者使用到同一個地方的 Git Repository,那就會出現這個錯誤訊息:

fatal: unsafe repository ('/path/to/repo' is owned by someone else)
To add an exception for this directory, call:

    git config --global --add safe.directory /path/to/repo

意思是需要是這個 Repo 的 Owner 才能存取,即便只是 git log 等讀取操作。

為什麼

這主要源於一個危險的漏洞: CVE-2022-24765

Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder C:\.git, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory.

基本上是說藉由在更高(親)的資料夾建立 .git 資料夾,來影響到底下的 Repo。

這個漏洞的 fix 出現在 3 月後的 git 的版本 2.35.2

想避開這個 Fix 的權限限制?

可以設置 safe.directory 讓指定的路徑不用確認使用者是否一樣。

git-scm.com/docs/git-config/#Documentation/..

safe.directory

These config entries specify Git-tracked directories that are considered safe even if they are owned by someone other than the current user. By default, Git will refuse to even parse a Git config of a repository owned by someone else, let alone run its hooks, and this config setting allows users to specify exceptions, e.g. for intentionally shared repositories (see the --shared option in git-init[1]).

This is a multi-valued setting, i.e. you can add more than one directory via git config --add. To reset the list of safe directories (e.g. to override any such directories specified in the system config), add a safe.directory entry with an empty value.

git config --global --add safe.directory <path to repository>

目前暫時沒有 Group Write/Read 之類的設定。

Ref