mirror of https://github.com/sipwise/ngcpcfg.git
With git v2.37.2-1, as present in current Debian/unstable, our unit
tests might fail - as seen with our Github actions:
| err = ('fatal: detected dubious ownership in repository at '
| "'/tmp/pytest-of-root/pytest-24/test_build_instance_customtt0/ngcpctl-pytest-base/ngcp-config'\n"
| 'To add an exception for this directory, call:\n'
| '\n'
| '\tgit config --global --add safe.directory '
With its underlying working directory looking like:
| root@b5a6b272fb90:/code# ls -la /tmp/pytest-of-root/pytest-24/test_build_instance_customtt0/ngcpctl-pytest-base/ngcp-config
| total 148
| drwxr-xr-x 5 root root 4096 Aug 15 09:12 .
| drwxr-xr-x 3 root root 4096 Aug 15 09:12 ..
| drwxr-xr-x 8 1000 1000 4096 May 18 2021 .git
| -rw-r--r-- 1 1000 1000 305 Jun 11 2020 .gitignore
| -rw-r----- 1 1000 1000 47437 Jun 15 2020 config.yml
| [...]
FTR, this can also be reproduced with our docker setup, when running as
user root, while the underlying ngcpcfg repository is owned by a normal
user:
| root@b5a6b272fb90:/code# ls -la
| total 92
| drwxr-xr-x 16 1000 1000 4096 Aug 15 08:41 .
| drwxr-xr-x 1 root root 4096 Aug 15 08:36 ..
| drwxr-xr-x 8 1000 1000 4096 Aug 15 09:22 .git
| drwxr-xr-x 4 1000 1000 4096 Jun 23 15:37 .github
| -rw-r--r-- 1 1000 1000 125 Jun 23 15:37 .gitignore
| -rw-r--r-- 1 1000 1000 64 Jul 16 2019 .gitreview
| -rw-r--r-- 1 1000 1000 169 Aug 15 08:41 .mailmap
| [...]
Quoting from git's Documentation/RelNotes/2.36.0.txt:
| * With the fixes for CVE-2022-24765 that are common with versions of
| Git 2.30.4, 2.31.3, 2.32.2, 2.33.3, 2.34.3, and 2.35.3, Git has
| been taught not to recognise repositories owned by other users, in
| order to avoid getting affected by their config files and hooks.
| You can list the path to the safe/trusted repositories that may be
| owned by others on a multi-valued configuration variable
| `safe.directory` to override this behaviour, or use '*' to declare
| that you trust anything.
Whereas the following git upstream change checks if a repository is
safe, by verifying the ownership of the worktree (if any), the git
directory, and the gitfile (if any):
| commit 3b0bf2704980b1ed6018622bdf5377ec22289688
| Author: Carlo Marcelo Arenas Belón <carenas@gmail.com>
| Date: Tue May 10 12:35:29 2022 -0700
|
| setup: tighten ownership checks post CVE-2022-24765
This change made it into git v2.30.5, v2.31.4, v2.32.3, v2.33.4,
v2.34.4, v2.35.4, v2.36.2, v2.37.1 + v2.37.2, and we got v2.37.2-1
in Debian/unstable as of 2022-08-12 (see
https://packages.qa.debian.org/g/git/news/20220813T030422Z.html).
This affects us with our mixture of root vs user permissions of the
working directory vs the git directory, so let's make sure the .git
directory has the according permissision as well.
Change-Id: I695fbd5a3b7fb79acc2873f75b8de410c8e3a0aa
mr11.0
Michael Prokop
3 years ago
parent
a35013facc
commit
6adf52aa96
Loading…
Reference in new issue