* How to disable safe directories?
@ 2024-05-21 8:39 Jeffrey Walton
2024-05-21 10:42 ` Harald Dunkel
0 siblings, 1 reply; 6+ messages in thread
From: Jeffrey Walton @ 2024-05-21 8:39 UTC (permalink / raw)
To: Git List
Hi Everyone,
I've got a big DoS on my hands since safe directories landed on
Fedora. I think this commit is the one responsible, but I may be
mistaken: <https://github.com/git/git/commit/8959555cee7e>.
At this point I've wasted enough time on them. Now I would like to
disable them completely.
How do I disable the safe directory changes?
Thanks in advance,
Jeff
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to disable safe directories?
2024-05-21 8:39 How to disable safe directories? Jeffrey Walton
@ 2024-05-21 10:42 ` Harald Dunkel
2024-05-21 10:45 ` Jeffrey Walton
0 siblings, 1 reply; 6+ messages in thread
From: Harald Dunkel @ 2024-05-21 10:42 UTC (permalink / raw)
To: noloader, Git List
On 2024-05-21 10:39:32, Jeffrey Walton wrote:
> Hi Everyone,
>
> I've got a big DoS on my hands since safe directories landed on
> Fedora. I think this commit is the one responsible, but I may be
> mistaken: <https://github.com/git/git/commit/8959555cee7e>.
>
> At this point I've wasted enough time on them. Now I would like to
> disable them completely.
>
> How do I disable the safe directory changes?
>
That is actually pretty easy: Kick out the commit. I would suggest
to turn the die() into a warning(), though, giving people time to
adopt this restriction.
Regards
Harri
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to disable safe directories?
2024-05-21 10:42 ` Harald Dunkel
@ 2024-05-21 10:45 ` Jeffrey Walton
2024-05-21 14:25 ` Harald Dunkel
0 siblings, 1 reply; 6+ messages in thread
From: Jeffrey Walton @ 2024-05-21 10:45 UTC (permalink / raw)
To: Harald Dunkel; +Cc: Git List
On Tue, May 21, 2024 at 6:42 AM Harald Dunkel <harald.dunkel@aixigo•com> wrote:
>
> On 2024-05-21 10:39:32, Jeffrey Walton wrote:
> > Hi Everyone,
> >
> > I've got a big DoS on my hands since safe directories landed on
> > Fedora. I think this commit is the one responsible, but I may be
> > mistaken: <https://github.com/git/git/commit/8959555cee7e>.
> >
> > At this point I've wasted enough time on them. Now I would like to
> > disable them completely.
> >
> > How do I disable the safe directory changes?
> >
>
> That is actually pretty easy: Kick out the commit. I would suggest
> to turn the die() into a warning(), though, giving people time to
> adopt this restriction.
Thanks Harri.
Would that be something like safe_directories.enabled = false? If not,
can you point to a setting?
Jeff
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to disable safe directories?
2024-05-21 10:45 ` Jeffrey Walton
@ 2024-05-21 14:25 ` Harald Dunkel
2024-05-21 14:40 ` Jeffrey Walton
2024-05-21 14:49 ` Harald Dunkel
0 siblings, 2 replies; 6+ messages in thread
From: Harald Dunkel @ 2024-05-21 14:25 UTC (permalink / raw)
To: noloader; +Cc: Git List
On 2024-05-21 12:45:18, Jeffrey Walton wrote:
>
> Thanks Harri.
>
> Would that be something like safe_directories.enabled = false? If not,
> can you point to a setting?
>
It is possible to disable this feature globally using something
like
git config --system --add safe.directory /somepath/.git
Some say even
git config --system --add safe.directory '*'
works, but I haven't tried that.
Regards
Harri
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to disable safe directories?
2024-05-21 14:25 ` Harald Dunkel
@ 2024-05-21 14:40 ` Jeffrey Walton
2024-05-21 14:49 ` Harald Dunkel
1 sibling, 0 replies; 6+ messages in thread
From: Jeffrey Walton @ 2024-05-21 14:40 UTC (permalink / raw)
To: Harald Dunkel; +Cc: Git List
On Tue, May 21, 2024 at 10:25 AM Harald Dunkel <harald.dunkel@aixigo•com> wrote:
>
> On 2024-05-21 12:45:18, Jeffrey Walton wrote:
> >
> > Thanks Harri.
> >
> > Would that be something like safe_directories.enabled = false? If not,
> > can you point to a setting?
> >
>
> It is possible to disable this feature globally using something
> like
>
> git config --system --add safe.directory /somepath/.git
>
> Some say even
>
> git config --system --add safe.directory '*'
>
> works, but I haven't tried that.
Thanks Harri.
Yeah, that did not work for me, either.
I've been through directory permissions on the workstations and
servers, and the SELinux contexts on the server. I cannot find
anything wrong with them. Do you know how to have git tell us what the
actual problem is? `git -v pull` is not providing more information,
like what the actual problem is (it just barfs).
Thanks again.
Jeff
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How to disable safe directories?
2024-05-21 14:25 ` Harald Dunkel
2024-05-21 14:40 ` Jeffrey Walton
@ 2024-05-21 14:49 ` Harald Dunkel
1 sibling, 0 replies; 6+ messages in thread
From: Harald Dunkel @ 2024-05-21 14:49 UTC (permalink / raw)
To: noloader; +Cc: Git List
On 2024-05-21 16:25:17, Harald Dunkel wrote:
>
> It is possible to disable this feature globally using something
> like
>
> git config --system --add safe.directory /somepath/.git
>
PS: Its obvious that each peer running git can verify only local
directories for dubious access bits. Working with shared remote
repositories you have to consider setting the safe.directory option
on the remote server.
Since CVE-2024-32004 assumes an attacker running its own repository,
I just wonder why he should use the most recent, fixed git version?
Regards
Harri
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-05-21 14:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-21 8:39 How to disable safe directories? Jeffrey Walton
2024-05-21 10:42 ` Harald Dunkel
2024-05-21 10:45 ` Jeffrey Walton
2024-05-21 14:25 ` Harald Dunkel
2024-05-21 14:40 ` Jeffrey Walton
2024-05-21 14:49 ` Harald Dunkel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox