Git Repository 限制使用者存取
起源
四月後新開的 Linux 20.04 的機器,假如有不同使用者使用到同一個地方的 Git Repository,那就會出現這個錯誤訊息:
fatal: unsafe repository ('/path/to/repo' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /path/to/repo
意思是需要是這個 Repo 的 Owner 才能存取,即便只是 git log
等讀取操作。
為什麼
這主要源於一個危險的漏洞: CVE-2022-24765
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder
C:\.git
, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory.
基本上是說藉由在更高(親)的資料夾建立 .git
資料夾,來影響到底下的 Repo。
這個漏洞的 fix 出現在 3 月後的 git 的版本 2.35.2。
想避開這個 Fix 的權限限制?
可以設置 safe.directory
讓指定的路徑不用確認使用者是否一樣。
git-scm.com/docs/git-config/#Documentation/..
These config entries specify Git-tracked directories that are considered safe even if they are owned by someone other than the current user. By default, Git will refuse to even parse a Git config of a repository owned by someone else, let alone run its hooks, and this config setting allows users to specify exceptions, e.g. for intentionally shared repositories (see the --shared option in git-init[1]).
This is a multi-valued setting, i.e. you can add more than one directory via git config --add. To reset the list of safe directories (e.g. to override any such directories specified in the system config), add a safe.directory entry with an empty value.
git config --global --add safe.directory <path to repository>
目前暫時沒有 Group Write/Read 之類的設定。