Upgrading git: push fails due to changed security policy: safe.directory

Bonjour,

April 12, 2022 version git v2.35.2 was released and addresses a security issue CVE-2022-24765. It was backported to 2.30.3, v2.31.2, v2.32.1, v2.33.2, and v2.34.2 and published by distributions such as Debian GNU/Linux, Alpine.

If Gitea runs as user foo, calls a patched Git version and a parent directory of the git repositories is owned by a user other than foo, it will fail with a message such as:

Failed to open repository: Git/Data Error: exit status 128 - fatal: unsafe repository ('/data/git/repositories/git/data.git' is owned by someone else)

This started to show in the past two weeks to users running the Gitea binary on Windows who also independently installed git v2.36. And then to people running Gitea from snap, on a Synology NAS and then people running from Gitea docker images which is based on Alpine.

Fixing the problem

Since the root cause of the problem does not come from Gitea, it requires manual intervention to:

  • Change the ownership of all repository directories to belong to the same user as Gitea
  • Ensure Gitea does not run as root

Below are specific instructions depending on how Gitea was installed.

Gitea was installed from docker images greater or equal to 1.16.6

If you installed Gitea using Docker Basic or manually via the Docker CLI, you can modify the permissions of all files with:

docker exec gitea chown -R 1000 /data/git/repositories

Gitea docker images greater or equal to 1.16.6 contain git version greater or equal to 2.30.3 which include the security patch. Previous docker images for Gitea have a lower version of git (for instance 1.16.5 has 2.30.2) and are not impacted.

Workarounds

If it is not possible for some reasons, there are workarounds. Be advised that applying these workarounds exposes the host to security risks as described in CVE-2022-24765:

  • If using Gitea docker images:
    • do not upgrade to 1.16.6 or above
    • downgrade from 1.16.6 or 1.16.7 to 1.16.5 (do not downgrade from 1.17.x, it may corrupt your the Gitea database)
  • If the Gitea binary was installed independently of git, upgrade git to a version that is greater or equal to 2.36 and disable the security check entirely with:
    • git config --system --replace-all safe.directory '*'

Cheers

3 Likes

Here are instructions to change the permissions on Windows:

properties → security → advance → change owner
And ticking the [x] replace all child object permission entries with inheritable permission entries from this object

Note that safe.directory is not documented to support * in git 2.35.2 which is confirmed by at least one user but only in git 2.36+.

1 Like

I think there is a simpler way to deal with this problem, here is the rationale:


It is safe to disable the security check in Gitea. It is not vulnerable to CVE-2022-24765 because it calls the git CLI after changing its working directory to be the git repository targeted by the command (for instance diff). Therefore it will not explore the parent directories looking for a git configuration file.

The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and not because a parent directory is owned by an unexpected user. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in CVE-2022-24765.

It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when network file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. Again, that does not mean it is not worth looking into, just that the problem is ancient and unrelated.

Gitea runs under a dedicated user, either when installed from binary or from docker and modifies the global git configuration depending on the git version at initialization time. Fixing the problem can therefore be done by disabling the security check in the global git config file at initialization time. It also requires a minimum version of git 2.36 to be installed in the Gitea docker image.


Does that sound sensible?

This blog post explains how to workaround the problem. It also links to the pending bug fixes addressing the problem in Gitea.

For the record, here is another instance of the problem on 1.16.8. It does not give more information but it would be worth asking the person more details about their setup. They may be willing to investigate and make a reproducer.

2022/06/23 11:18:07 ...ules/context/repo.go:592:RepoAssignment() [E] RepoAssignment Invalid repo C:\Gitea\data\gitea-repositories\skymaper\tmcplugin.git: exit status 128 - fatal: unsafe repository ('C:/Gitea/data/gitea-repositories/skymaper/tmcplugin.git' is owned by someone else)
To add an exception for this directory, call:

git config --global --add safe.directory C:/Gitea/data/gitea-repositories/skymaper/tmcplugin.git

2022/06/23 11:18:07 ...s/context/context.go:204:HTML() [D] Template: status/500