setup.c: create safe.bareRepository
There is a known social engineering attack that takes advantage of the fact that a working tree can include an entire bare repository, including a config file. A user could run a Git command inside the bare repository thinking that the config file of the 'outer' repository would be used, but in reality, the bare repository's config file (which is attacker-controlled) is used, which may result in arbitrary code execution. See [1] for a fuller description and deeper discussion. A simple mitigation is to forbid bare repositories unless specified via `--git-dir` or `GIT_DIR`. In environments that don't use bare repositories, this would be minimally disruptive. Create a config variable, `safe.bareRepository`, that tells Git whether or not to die() when working with a bare repository. This config is an enum of: - "all": allow all bare repositories (this is the default) - "explicit": only allow bare repositories specified via --git-dir or GIT_DIR. If we want to protect users from such attacks by default, neither value will suffice - "all" provides no protection, but "explicit" is impractical for bare repository users. A more usable default would be to allow only non-embedded bare repositories ([2] contains one such proposal), but detecting if a repository is embedded is potentially non-trivial, so this work is not implemented in this series. [1]: https://lore.kernel.org/git/kl6lsfqpygsj.fsf@chooglen-macbookpro.roam.corp.google.com [2]: https://lore.kernel.org/git/5b969c5e-e802-c447-ad25-6acc0b784582@github.com Signed-off-by: Glen Choo <chooglen@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Glen Choo
committed by
Junio C Hamano
Junio C Hamano
parent
6061601d9f
commit
8d1a744820
@ -1,3 +1,22 @@
|
||||
safe.bareRepository::
|
||||
Specifies which bare repositories Git will work with. The currently
|
||||
supported values are:
|
||||
+
|
||||
* `all`: Git works with all bare repositories. This is the default.
|
||||
* `explicit`: Git only works with bare repositories specified via
|
||||
the top-level `--git-dir` command-line option, or the `GIT_DIR`
|
||||
environment variable (see linkgit:git[1]).
|
||||
+
|
||||
If you do not use bare repositories in your workflow, then it may be
|
||||
beneficial to set `safe.bareRepository` to `explicit` in your global
|
||||
config. This will protect you from attacks that involve cloning a
|
||||
repository that contains a bare repository and running a Git command
|
||||
within that directory.
|
||||
+
|
||||
This config setting is only respected in protected configuration (see
|
||||
<<SCOPES>>). This prevents the untrusted repository from tampering with
|
||||
this value.
|
||||
|
||||
safe.directory::
|
||||
These config entries specify Git-tracked directories that are
|
||||
considered safe even if they are owned by someone other than the
|
||||
|
||||
Reference in New Issue
Block a user