Git for windows 2.35.2 无法添加异常safe.directory
Git for windows 2.35.2 can not add exception safe.directory
我在 win10 上使用 git version 2.35.2.windows.1。
我的项目存储在我的 NAS 运行 Ubuntu 中。
我使用 samba 设置了一个 SMB 远程磁盘,并在 win10 上完成了所有必要的工作。
2.35更新后,我得到了
fatal: unsafe repository ('//192.168.1.120/sambashare/x' is owned by someone else) To add an exception for this directory, call:
git config --global --add safe.directory //192.168.1.120/sambashare/x
在我按照指示操作后,git 发出警告说:
warning: encountered old-style '//192.168.1.120/sambashare/x' that should be '%(prefix)//192.168.1.120/x'
我尝试稍微调整一下目录字符串(例如将其更改为 Z://x、Z://192.168.1.120/x 等),但无济于事。
我的 git 配置文件如下所示:
[safe] directory = //192.168.1.120/sambashare/x ,我不太确定如何解决这个问题。
目前,我正在通过 ssh 完成所有 git 工作。
提前感谢任何可能的解决方案。
对于以 /
开头的任何路径,该警告特定于 git-for-windows/git path.c
尝试使用 UNC path \192.168.1.120\sambashare\x would result, as commente by the OP LNseyJt2X-24UJ4r7KTL,在:
fatal: bad config output.
Input it via git config produce something like \\192.168.1.120\sambashare in the config file, which is not recognized.
正确的形式,如michaelosthege's 所示,是在路径前添加%(prefix)/(不仅仅是%(prefix)):
%(prefix)///192.168.1.120/x
或者降级Git为Windows(如果你真的不想看到这个警告),因为这个消息来自最近的commit 66a6bcf 对于 v2.35.2.windows.1:
mingw: deprecate old-style runtime-prefix handling in interpolate_path()
On Windows, an absolute POSIX path needs to be turned into a Windows
one.
We used to interpret paths starting with a single / as relative
to the runtime-prefix, but now these need to be prefixed with
%(prefix)/.
Let's warn for now, but still handle it.
或升级到2.5.3(见下文),opt-out和safe.directory=*
这一切都来自 With Git 2.35.2 (Q1 2022):
参见 commit 6e7ad1e (27 Nov 2021) by Carlo Marcelo Arenas Belón (carenas)。
参见 commit 53ef17d, commit 1f480d5, commit 4d0b43a, commit 93fbff0, commit 87ed4fc, commit 303b876, commit 9bcd7a8, commit 201b0c7, commit 44de39c, commit 6a2381a, commit cb95038, commit 2a9a586, commit 898225b (17 Mar 2022), commit fdcad5a (23 Mar 2022), and commit 8959555, commit bdc77d1 (02 Mar 2022) by Johannes Schindelin (dscho)。
(由 Junio C Hamano -- gitster -- in commit f1b50ec 合并,2022 年 4 月 11 日)
setup_git_directory(): add an owner check for the top-level directory
Signed-off-by: Johannes Schindelin
It poses a security risk to search for a git directory outside of the directories owned by the current user.
For example, it is common e.g. in computer pools of educational institutes to have a "scratch" space: a mounted disk with plenty of space that is regularly swiped where any authenticated user can create a directory to do their work.
Merely navigating to such a space with a Git-enabled PS1 when there is a maliciously-crafted /scratch/.git/ can lead to a compromised account.
The same holds true in multi-user setups running Windows, as C:\ is writable to every authenticated user by default.
To plug this vulnerability, we stop Git from accepting top-level directories owned by someone other than the current user.
We avoid looking at the ownership of each and every directories between the current and the top-level one (if there are any between) to avoid introducing a performance bottleneck.
This new default behavior is obviously incompatible with the concept of shared repositories, where we expect the top-level directory to be owned by only one of its legitimate users.
To re-enable that use case, we add support for adding exceptions from the new default behavior via the config setting safe.directory.
The safe.directory config setting is only respected in the system and global configs, not from repository configs or via the command-line, and can have multiple values to allow for multiple shared repositories.
We are particularly careful to provide a helpful message to any user trying to use a shared repository.
config 现在包含在其 man page 中:
include::config/safe.txt[]
git config 现在包含在其 man page 中:
safe.directory
These config entries specify Git-tracked directories that are
considered safe even if they are owned by someone other than the
current user. By default, Git will refuse to even parse a Git
config of a repository owned by someone else, let alone run its
hooks, and this config setting allows users to specify exceptions,
e.g. for intentionally shared repositories (see the --shared
option in git init).
This is a multi-valued setting, i.e. you can add more than one directory
via git config --add. To reset the list of safe directories (e.g. to
override any such directories specified in the system config), add a
safe.directory entry with an empty value.
This config setting is only respected when specified in a system or global
config, not when it is specified in a repository config or via the command
line option -c safe.directory=<path>.
The value of this setting is interpolated, i.e. ~/<path> expands to a
path relative to the home directory and %(prefix)/<path> expands to a
path relative to Git's (runtime) prefix.
2.35.3 的变化(2022 年 4 月):
参见 commit d516b2d, commit 2f0dde7, commit 1f65dd6, commit 1530434, commit 09f66d6, commit 17083c7 (13 Apr 2022) by Junio C Hamano (gitster)。
参见 commit 0f85c4a, commit e47363e (13 Apr 2022) by Derrick Stolee (derrickstolee)。
参见 commit bb50ec3 (13 Apr 2022) by Matheus Valadares (Matheus28)。
(由 Junio C Hamano -- gitster -- in commit 1ac7422 合并,2022 年 4 月 13 日)
setup: opt-out of check with safe.directory=*
Signed-off-by: Derrick Stolee
With the addition of the safe.directory in 8959555 (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02, Git v2.36.0-rc2 -- merge) (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) released in v2.35.2, we are receiving feedback from a variety of users about the feature.
Some users have a very large list of shared repositories and find it cumbersome to add this config for every one of them.
In a more difficult case, certain workflows involve running Git commands within containers.
The container boundary prevents any global or system config from communicating safe.directory values from the host into the container.
Further, the container almost always runs as a different user than the owner of the directory in the host.
To simplify the reactions necessary for these users, extend the definition of the safe.directory config value to include a possible '*' value.
This value implies that all directories are safe, providing a single setting to opt-out of this protection.
Note that an empty assignment of safe.directory clears all previous values, and this is already the case with the "if (!value || !*value)" condition.
git config 现在包含在其 man page 中:
To completely opt-out of this security check, set safe.directory to the
string *. This will allow all repositories to be treated as if their
directory was listed in the safe.directory list. If safe.directory=*
is set in system config and you want to re-enable this protection, then
initialize your list with an empty value before listing the repositories
that you deem safe.
随着 Git 2.37(2022 年第 3 季度),safe.directory 进一步明确。
参见 commit 756d159, commit 424f315, commit f625639 (27 Apr 2022) by SZEDER Gábor (szeder)。
(由 Junio C Hamano -- gitster -- in commit 1256a25 合并,2022 年 5 月 20 日)
safe.directory: document and check that it's ignored in the environment
Signed-off-by: SZEDER Gábor
The description of 'safe.directory' mentions that it's respected in the system and global configs, and ignored in the repository config and on the command line, but it doesn't mention whether it's respected or ignored when specified via environment variables (nor does the commit message adding 'safe.directory' from commit 8959555 (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02, Git v2.36.0-rc2 -- merge)).
Clarify that 'safe.directory' is ignored when specified in the environment, and add tests to make sure that it remains so.
git config 现在包含在其 man page 中:
config, not when it is specified in a repository config, via the command
line option -c safe.directory=<path>, or in environment variables.
最近的更新默认拒绝访问其他人的存储库,“sudo make install”和“sudo git describe(man) 停止工作。
本系列打算在保持安全的同时放松它 Git 2.37 (Q3 2022).
参见 commit b9063af, commit ae9abbb, commit 5f1a3fe (12 May 2022) by Carlo Marcelo Arenas Belón (carenas)。
(由 Junio C Hamano -- gitster -- in commit 2088a0c 合并,2022 年 5 月 26 日)
git-compat-util: avoid failing dir ownership checks if running privileged
Reported-by: Guy Maurel
Helped-by: SZEDER Gábor
Helped-by: Randall Becker
Helped-by: Phillip Wood
Suggested-by: Johannes Schindelin
Signed-off-by: Carlo Marcelo Arenas Belón
bdc77d1 ("Add a function to determine whether a path is owned by the current user", 2022-03-02, Git v2.36.0-rc2 -- merge) checks for the effective uid of the running process using geteuid(), but didn't account for cases where that user was root (because git was invoked through sudo or a compatible tool) and the original uid that repository trusted for its config was no longer known, therefore failing the following otherwise safe call:
guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty
[sudo] password for guy:
fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else)
Attempt to detect those cases by using the environment variables that those tools create to keep track of the original user id, and do the ownership check using that instead.
This assumes the environment the user is running on after going privileged can't be tampered with, and also adds code to restrict that the new behavior only applies if running as root, therefore keeping the most common case, which runs unprivileged, from changing, but because of that, it will miss cases where sudo (or an equivalent) was used to change to another unprivileged user or where the equivalent tool used to raise privileges didn't track the original id in a sudo compatible way.
Because of compatibility with sudo, the code assumes that uid_t is an unsigned integer type (which is not required by the standard) but is used that way in their codebase to generate SUDO_UID.
In systems where uid_t is signed, sudo might be also patched to NOT be unsigned and that might be able to trigger an edge case and a bug (as described in the code), but it is considered unlikely to happen and even if it does, the code would just mostly fail safely, so there was no attempt either to detect it or prevent it by the code, which is something that might change in the future, based on expected user feedback.
git config 现在包含在其 man page 中:
As explained, Git only allows you to access repositories owned by
yourself, i.e. the user who is running Git, by default.
When Git
is running as 'root' in a non Windows platform that provides sudo,
however, git checks the SUDO_UID environment variable that sudo creates
and will allow access to the uid recorded as its value instead.
This is to make it easy to perform a common sequence during installation
"make && sudo make install".
A git process running under 'sudo' runs as 'root' but the 'sudo' command exports the environment variable to record
which id the original user has.
If that is not what you would prefer and want git to only trust
repositories that are owned by root instead, then you must remove
the SUDO_UID variable from root's environment before invoking git.
- 前缀必须包含尾部
/。字面意思是这样的:%(prefix)/.
- 您是否必须使用主机名、IP 地址或 FQDN 取决于您安装网络共享的方式。
运行 net use 列出挂载共享的确切远程路径。
工作示例
如果网络共享挂载为 \123.123.123.123\repoA 运行
git config --global --add safe.directory %(prefix)///123.123.123.123/repoA
如果网络共享挂载为 \servername\repoB 运行
git config --global --add safe.directory %(prefix)///servername/repoB
如果网络共享挂载为 \servername.company.com\repoC 运行
git config --global --add safe.directory %(prefix)///servername.company.com/repoC
或者,您可以使用 git config --global --edit 将配置编辑为以下
[safe]
directory = %(prefix)///123.123.123.123/repoA
directory = %(prefix)///servername/repoB
directory = %(prefix)///servername.company.com/repoC
我在 win10 上使用 git version 2.35.2.windows.1。
我的项目存储在我的 NAS 运行 Ubuntu 中。
我使用 samba 设置了一个 SMB 远程磁盘,并在 win10 上完成了所有必要的工作。
2.35更新后,我得到了
fatal: unsafe repository ('//192.168.1.120/sambashare/x' is owned by someone else) To add an exception for this directory, call:
git config --global --add safe.directory //192.168.1.120/sambashare/x
在我按照指示操作后,git 发出警告说:
warning: encountered old-style '//192.168.1.120/sambashare/x' that should be '%(prefix)//192.168.1.120/x'
我尝试稍微调整一下目录字符串(例如将其更改为 Z://x、Z://192.168.1.120/x 等),但无济于事。
我的 git 配置文件如下所示:
[safe] directory = //192.168.1.120/sambashare/x ,我不太确定如何解决这个问题。
目前,我正在通过 ssh 完成所有 git 工作。 提前感谢任何可能的解决方案。
对于以 /
git-for-windows/git path.c
尝试使用 UNC path \192.168.1.120\sambashare\x would result, as commente by the OP LNseyJt2X-24UJ4r7KTL,在:
fatal: bad config output.
Input it via
git configproduce something like\\192.168.1.120\sambasharein the config file, which is not recognized.
正确的形式,如michaelosthege's %(prefix)/(不仅仅是%(prefix)):
%(prefix)///192.168.1.120/x
或者降级Git为Windows(如果你真的不想看到这个警告),因为这个消息来自最近的commit 66a6bcf 对于 v2.35.2.windows.1:
mingw: deprecate old-style runtime-prefix handling ininterpolate_path()On Windows, an absolute POSIX path needs to be turned into a Windows one.
We used to interpret paths starting with a single
/as relative to the runtime-prefix, but now these need to be prefixed with%(prefix)/.
Let's warn for now, but still handle it.
或升级到2.5.3(见下文),opt-out和safe.directory=*
这一切都来自 With Git 2.35.2 (Q1 2022):
参见 commit 6e7ad1e (27 Nov 2021) by Carlo Marcelo Arenas Belón (carenas)。
参见 commit 53ef17d, commit 1f480d5, commit 4d0b43a, commit 93fbff0, commit 87ed4fc, commit 303b876, commit 9bcd7a8, commit 201b0c7, commit 44de39c, commit 6a2381a, commit cb95038, commit 2a9a586, commit 898225b (17 Mar 2022), commit fdcad5a (23 Mar 2022), and commit 8959555, commit bdc77d1 (02 Mar 2022) by Johannes Schindelin (dscho)。
(由 Junio C Hamano -- gitster -- in commit f1b50ec 合并,2022 年 4 月 11 日)
setup_git_directory(): add an owner check for the top-level directorySigned-off-by: Johannes Schindelin
It poses a security risk to search for a git directory outside of the directories owned by the current user.
For example, it is common e.g. in computer pools of educational institutes to have a "scratch" space: a mounted disk with plenty of space that is regularly swiped where any authenticated user can create a directory to do their work.
Merely navigating to such a space with a Git-enabledPS1when there is a maliciously-crafted/scratch/.git/can lead to a compromised account.The same holds true in multi-user setups running Windows, as
C:\is writable to every authenticated user by default.To plug this vulnerability, we stop Git from accepting top-level directories owned by someone other than the current user.
We avoid looking at the ownership of each and every directories between the current and the top-level one (if there are any between) to avoid introducing a performance bottleneck.This new default behavior is obviously incompatible with the concept of shared repositories, where we expect the top-level directory to be owned by only one of its legitimate users.
To re-enable that use case, we add support for adding exceptions from the new default behavior via the config settingsafe.directory.The
safe.directoryconfig setting is only respected in the system and global configs, not from repository configs or via the command-line, and can have multiple values to allow for multiple shared repositories.We are particularly careful to provide a helpful message to any user trying to use a shared repository.
config 现在包含在其 man page 中:
include::config/safe.txt[]
git config 现在包含在其 man page 中:
safe.directoryThese config entries specify Git-tracked directories that are considered safe even if they are owned by someone other than the current user. By default, Git will refuse to even parse a Git config of a repository owned by someone else, let alone run its hooks, and this config setting allows users to specify exceptions, e.g. for intentionally shared repositories (see the
--sharedoption ingit init).This is a multi-valued setting, i.e. you can add more than one directory via
git config --add. To reset the list of safe directories (e.g. to override any such directories specified in the system config), add asafe.directoryentry with an empty value.This config setting is only respected when specified in a system or global config, not when it is specified in a repository config or via the command line option
-c safe.directory=<path>.The value of this setting is interpolated, i.e.
~/<path>expands to a path relative to the home directory and%(prefix)/<path>expands to a path relative to Git's (runtime) prefix.
2.35.3 的变化(2022 年 4 月):
参见 commit d516b2d, commit 2f0dde7, commit 1f65dd6, commit 1530434, commit 09f66d6, commit 17083c7 (13 Apr 2022) by Junio C Hamano (gitster)。
参见 commit 0f85c4a, commit e47363e (13 Apr 2022) by Derrick Stolee (derrickstolee)。
参见 commit bb50ec3 (13 Apr 2022) by Matheus Valadares (Matheus28)。
(由 Junio C Hamano -- gitster -- in commit 1ac7422 合并,2022 年 4 月 13 日)
setup: opt-out of check withsafe.directory=*Signed-off-by: Derrick Stolee
With the addition of the safe.directory in 8959555 (
setup_git_directory(): add an owner check for the top-level directory, 2022-03-02, Git v2.36.0-rc2 -- merge)(setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) released in v2.35.2, we are receiving feedback from a variety of users about the feature.Some users have a very large list of shared repositories and find it cumbersome to add this config for every one of them.
In a more difficult case, certain workflows involve running Git commands within containers.
The container boundary prevents any global or system config from communicatingsafe.directoryvalues from the host into the container.
Further, the container almost always runs as a different user than the owner of the directory in the host.To simplify the reactions necessary for these users, extend the definition of the safe.directory config value to include a possible '*' value.
This value implies that all directories are safe, providing a single setting to opt-out of this protection.Note that an empty assignment of safe.directory clears all previous values, and this is already the case with the "if (!value
||!*value)" condition.
git config 现在包含在其 man page 中:
To completely opt-out of this security check, set
safe.directoryto the string*. This will allow all repositories to be treated as if their directory was listed in thesafe.directorylist. Ifsafe.directory=*is set in system config and you want to re-enable this protection, then initialize your list with an empty value before listing the repositories that you deem safe.
随着 Git 2.37(2022 年第 3 季度),safe.directory 进一步明确。
参见 commit 756d159, commit 424f315, commit f625639 (27 Apr 2022) by SZEDER Gábor (szeder)。
(由 Junio C Hamano -- gitster -- in commit 1256a25 合并,2022 年 5 月 20 日)
safe.directory: document and check that it's ignored in the environmentSigned-off-by: SZEDER Gábor
The description of 'safe.directory' mentions that it's respected in the system and global configs, and ignored in the repository config and on the command line, but it doesn't mention whether it's respected or ignored when specified via environment variables (nor does the commit message adding 'safe.directory' from commit 8959555 (
setup_git_directory(): add an owner check for the top-level directory, 2022-03-02, Git v2.36.0-rc2 -- merge)).Clarify that 'safe.directory' is ignored when specified in the environment, and add tests to make sure that it remains so.
git config 现在包含在其 man page 中:
config, not when it is specified in a repository config, via the command line option
-c safe.directory=<path>, or in environment variables.
最近的更新默认拒绝访问其他人的存储库,“sudo make install”和“sudo git describe(man) 停止工作。
本系列打算在保持安全的同时放松它 Git 2.37 (Q3 2022).
参见 commit b9063af, commit ae9abbb, commit 5f1a3fe (12 May 2022) by Carlo Marcelo Arenas Belón (carenas)。
(由 Junio C Hamano -- gitster -- in commit 2088a0c 合并,2022 年 5 月 26 日)
git-compat-util: avoid failing dir ownership checks if running privilegedReported-by: Guy Maurel
Helped-by: SZEDER Gábor
Helped-by: Randall Becker
Helped-by: Phillip Wood
Suggested-by: Johannes Schindelin
Signed-off-by: Carlo Marcelo Arenas Belón
bdc77d1 ("Add a function to determine whether a path is owned by the current user", 2022-03-02, Git v2.36.0-rc2 -- merge) checks for the effective uid of the running process using
geteuid(), but didn't account for cases where that user was root (becausegitwas invoked throughsudoor a compatible tool) and the originaluidthat repository trusted for its config was no longer known, therefore failing the following otherwise safe call:guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty [sudo] password for guy: fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else)Attempt to detect those cases by using the environment variables that those tools create to keep track of the original user id, and do the ownership check using that instead.
This assumes the environment the user is running on after going privileged can't be tampered with, and also adds code to restrict that the new behavior only applies if running as
root, therefore keeping the most common case, which runs unprivileged, from changing, but because of that, it will miss cases wheresudo(or an equivalent) was used to change to another unprivileged user or where the equivalent tool used to raise privileges didn't track the original id in asudocompatible way.Because of compatibility with
sudo, the code assumes thatuid_tis an unsigned integer type (which is not required by the standard) but is used that way in their codebase to generateSUDO_UID.
In systems whereuid_tis signed,sudomight be also patched to NOT be unsigned and that might be able to trigger an edge case and a bug (as described in the code), but it is considered unlikely to happen and even if it does, the code would just mostly fail safely, so there was no attempt either to detect it or prevent it by the code, which is something that might change in the future, based on expected user feedback.
git config 现在包含在其 man page 中:
As explained, Git only allows you to access repositories owned by yourself, i.e. the user who is running Git, by default.
When Git is running as 'root' in a non Windows platform that providessudo, however,gitchecks theSUDO_UIDenvironment variable thatsudocreates and will allow access to theuidrecorded as its value instead. This is to make it easy to perform a common sequence during installation "make && sudo make install".
A git process running under 'sudo' runs as 'root' but the 'sudo' command exports the environment variable to record which id the original user has. If that is not what you would prefer and wantgitto only trust repositories that are owned byrootinstead, then you must remove theSUDO_UIDvariable fromroot's environment before invokinggit.
- 前缀必须包含尾部
/。字面意思是这样的:%(prefix)/. - 您是否必须使用主机名、IP 地址或 FQDN 取决于您安装网络共享的方式。
运行 net use 列出挂载共享的确切远程路径。
工作示例
如果网络共享挂载为 \123.123.123.123\repoA 运行
git config --global --add safe.directory %(prefix)///123.123.123.123/repoA
如果网络共享挂载为 \servername\repoB 运行
git config --global --add safe.directory %(prefix)///servername/repoB
如果网络共享挂载为 \servername.company.com\repoC 运行
git config --global --add safe.directory %(prefix)///servername.company.com/repoC
或者,您可以使用 git config --global --edit 将配置编辑为以下
[safe]
directory = %(prefix)///123.123.123.123/repoA
directory = %(prefix)///servername/repoB
directory = %(prefix)///servername.company.com/repoC