| Message ID | 20240723021900.388020-4-gitster@pobox.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | safe.directory clean-up | expand |
Hi Junio On 23/07/2024 03:19, Junio C Hamano wrote: > When "git daemon" enters a repository, it chdir's to the requested > repository and then uses "." (the curent directory) to consult the > "is this repository considered safe?" when it is not owned by the > same owner as the process. > > Make sure this access will be allowed by setting safe.directory to > ".". Setting safe.directory to "." should be unnecessary after the previous two patches. It might be better to test that "git daemon" works without safe.directory containing "." instead. Best Wishes Phillip > Signed-off-by: Junio C Hamano <gitster@pobox.com> > --- > t/t0033-safe-directory.sh | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh > index ea74657255..1eeb794194 100755 > --- a/t/t0033-safe-directory.sh > +++ b/t/t0033-safe-directory.sh > @@ -233,4 +233,36 @@ test_expect_success SYMLINKS 'configured leading paths are normalized' ' > git -C repo/s/.git/ for-each-ref > ' > > +test_expect_success 'safe.directory set to a dot' ' > + test_when_finished "rm -rf repository" && > + ( > + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && > + git config --global --unset-all safe.directory > + ) && > + mkdir -p repository/subdir && > + git init repository && > + ( > + cd repository && > + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && > + test_commit sample > + ) && > + > + ( > + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && > + git config --global safe.directory "." > + ) && > + git -C repository for-each-ref && > + git -C repository/ for-each-ref && > + git -C repository/.git for-each-ref && > + git -C repository/.git/ for-each-ref && > + > + # what is allowed is repository/subdir but the repository > + # path is repository. > + test_must_fail git -C repository/subdir for-each-ref && > + > + # likewise, repository .git/refs is allowed with "." but > + # repository/.git that is accessed is not allowed. > + test_must_fail git -C repository/.git/refs for-each-ref > +' > + > test_done
Phillip Wood <phillip.wood123@gmail.com> writes: > Hi Junio > > On 23/07/2024 03:19, Junio C Hamano wrote: >> When "git daemon" enters a repository, it chdir's to the requested >> repository and then uses "." (the curent directory) to consult the >> "is this repository considered safe?" when it is not owned by the >> same owner as the process. >> Make sure this access will be allowed by setting safe.directory to >> ".". > > Setting safe.directory to "." should be unnecessary after the previous > two patches. It might be better to test that "git daemon" works > without safe.directory containing "." instead. Hmph. Even without the two previous steps, it was a working workaround, wasn't it?
diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh index ea74657255..1eeb794194 100755 --- a/t/t0033-safe-directory.sh +++ b/t/t0033-safe-directory.sh @@ -233,4 +233,36 @@ test_expect_success SYMLINKS 'configured leading paths are normalized' ' git -C repo/s/.git/ for-each-ref ' +test_expect_success 'safe.directory set to a dot' ' + test_when_finished "rm -rf repository" && + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global --unset-all safe.directory + ) && + mkdir -p repository/subdir && + git init repository && + ( + cd repository && + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + test_commit sample + ) && + + ( + sane_unset GIT_TEST_ASSUME_DIFFERENT_OWNER && + git config --global safe.directory "." + ) && + git -C repository for-each-ref && + git -C repository/ for-each-ref && + git -C repository/.git for-each-ref && + git -C repository/.git/ for-each-ref && + + # what is allowed is repository/subdir but the repository + # path is repository. + test_must_fail git -C repository/subdir for-each-ref && + + # likewise, repository .git/refs is allowed with "." but + # repository/.git that is accessed is not allowed. + test_must_fail git -C repository/.git/refs for-each-ref +' + test_done
When "git daemon" enters a repository, it chdir's to the requested repository and then uses "." (the curent directory) to consult the "is this repository considered safe?" when it is not owned by the same owner as the process. Make sure this access will be allowed by setting safe.directory to ".". Signed-off-by: Junio C Hamano <gitster@pobox.com> --- t/t0033-safe-directory.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)