Git v2.35.2 safe.directory trouble

[buergi]

The new git v2.35.2 introduces a fix for CVE-2022-24765 (see e.g. here) which causes it to refuse working in mixed user scenarios.
My web server runs as http user, while my git repos are owned by the user git.
Therefore, since the recent git upgrade gitlist only shows the following warning for every repository.

Oops! fatal: unsafe repository ('/home/git/repositories/me/myrepo.git' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /home/git/repositories/me/myrepo.git

First I tried with the latest release of legacy gitlist, v1.1.1.

Then I tried the same with latest (251b8a8) nightly, i.e. gitlist 2.0, and I'm getting a similar error in the log.

request.CRITICAL: Uncaught PHP Exception Twig\Error\RuntimeError: "An exception has been thrown during the rendering of a template ("fatal: unsafe repository ('/home/git/repositories/me/myrepo.git' is owned by someone else) To add an exception for this directory, call:        git config --global --add safe.directory /home/git/repositories/me/myrepo.git ")." at /usr/share/webapps/gitlist/assets/themes/default/templates/Repository/list.html.twig line 15 {"exception":"[object] (Twig\\Error\\RuntimeError(code: 0): An exception has been thrown during the rendering of a template (\"fatal: unsafe repository ('/home/git/repositories/me/myrepo.git' is owned by someone else)\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /home/git/repositories/me/myrepo.git\n\"). at /usr/share/webapps/gitlist/assets/themes/default/templates/Repository/list.html.twig:15)\n[previous exception] [object] (GitList\\SCM\\Exception\\CommandException(code: 0): fatal: unsafe repository ('/home/git/repositories/me/myrepo.git' is owned by someone else)\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /home/git/repositories/me/myrepo.git\n at /usr/share/webapps/gitlist/src/SCM/System/Git/CommandLine.php:315)"} []

I'm not sure what exactly is the problem, as just browsing the repo as user http works, e.g.

sudo -u http -g http git --git-dir /home/git/repositories/me/myrepo.git ls-tree -r HEAD
sudo -u http -g http git --git-dir /home/git/repositories/me/myrepo.git cat-file -p 71f106

Unfortunately, the command mentioned in the error message does not resolve the problem, neither when executed as http nor as git

sudo -u http -g http git config --global --add safe.directory /home/git/repositories/me/myrepo.git
sudo -u git -g git git config --global --add safe.directory /home/git/repositories/me/myrepo.git

A chown -R http:http /home/git/repositories fixes the issue of course, but it interferes with normal git access. So for the moment, the only work-around, I found, is

sudo bindfs -r --force-user=http --force-group=http /home/git/repositories /home/git/repositories-gitlist

Any ideas for a proper fix?

[dmolony]

I found that

sudo git config --system --add safe.directory /home/git/repositories/me/myrepo.git

fixed the issue, but I'm not convinced that it's the best solution.

[EvilBMP]

If you have many repositories, I think it's the best way to run git list under the same user which is responsible for creating the git repositories. At least that's what I did, after git introduced this security feature.

[klaussilveira]

@dmolony that seems to be the best way to deal with this right now, if you are unable to run with the same user.

[goss85]

You can switch off this feature with
sudo git config --system --add safe.directory '*'
but it is not recommended, at least at system-wide.

However if the executed git command gets the HOME environment variable (which is not the case on my debian, because /etc/apache2/envvars starts with unset HOME), it will use the .gitconfig file from there.
Unfortunately using SetEnv HOME in apache .conf files does not returned by getenv(), so this solution not working.

My suggestion is to introduce a setting in config.yml which would be passed as HOME environment variable for git from php, or simply hardwire a "githome" folder which would be placed in the gitlist root.

This githome folder would contain a .gitconfig file:

[safe]
  directory = *

[xoneill007]

@goss85 Thanks! Your system-wide syntax worked (git config --global --add safe.directory '*' did not). Another (not ideal) work-around was chowning all files to www:www for gitlist and my REPOs.