projects / thirdparty / git.git / blame
| Commit | Line | Data |
|---|---|---|
| 8d1a7448 GC |
1 | safe.bareRepository:: |
| 2 | Specifies which bare repositories Git will work with. The currently | |
| 3 | supported values are: | |
| 4 | + | |
| 5 | * `all`: Git works with all bare repositories. This is the default. | |
| 6 | * `explicit`: Git only works with bare repositories specified via | |
| 7 | the top-level `--git-dir` command-line option, or the `GIT_DIR` | |
| 8 | environment variable (see linkgit:git[1]). | |
| 9 | + | |
| 10 | If you do not use bare repositories in your workflow, then it may be | |
| 11 | beneficial to set `safe.bareRepository` to `explicit` in your global | |
| 12 | config. This will protect you from attacks that involve cloning a | |
| 13 | repository that contains a bare repository and running a Git command | |
| 14 | within that directory. | |
| 15 | + | |
| 16 | This config setting is only respected in protected configuration (see | |
| cf6cac20 | 17 | <<SCOPES>>). This prevents untrusted repositories from tampering with |
| 8d1a7448 GC |
18 | this value. |
| 19 | ||
| 8959555c JS |
20 | safe.directory:: |
| 21 | These config entries specify Git-tracked directories that are | |
| 22 | considered safe even if they are owned by someone other than the | |
| 23 | current user. By default, Git will refuse to even parse a Git | |
| 24 | config of a repository owned by someone else, let alone run its | |
| 25 | hooks, and this config setting allows users to specify exceptions, | |
| 26 | e.g. for intentionally shared repositories (see the `--shared` | |
| 27 | option in linkgit:git-init[1]). | |
| 28 | + | |
| 29 | This is a multi-valued setting, i.e. you can add more than one directory | |
| 30 | via `git config --add`. To reset the list of safe directories (e.g. to | |
| 31 | override any such directories specified in the system config), add a | |
| 32 | `safe.directory` entry with an empty value. | |
| 33 | + | |
| 6061601d | 34 | This config setting is only respected in protected configuration (see |
| cf6cac20 | 35 | <<SCOPES>>). This prevents untrusted repositories from tampering with this |
| 6061601d | 36 | value. |
| 8959555c JS |
37 | + |
| 38 | The value of this setting is interpolated, i.e. `~/<path>` expands to a | |
| 39 | path relative to the home directory and `%(prefix)/<path>` expands to a | |
| 40 | path relative to Git's (runtime) prefix. | |
| 0f85c4a3 DS |
41 | + |
| 42 | To completely opt-out of this security check, set `safe.directory` to the | |
| 43 | string `*`. This will allow all repositories to be treated as if their | |
| 44 | directory was listed in the `safe.directory` list. If `safe.directory=*` | |
| 45 | is set in system config and you want to re-enable this protection, then | |
| 46 | initialize your list with an empty value before listing the repositories | |
| 47 | that you deem safe. | |
| ae9abbb6 CMAB |
48 | + |
| 49 | As explained, Git only allows you to access repositories owned by | |
| 50 | yourself, i.e. the user who is running Git, by default. When Git | |
| 51 | is running as 'root' in a non Windows platform that provides sudo, | |
| 6b11e3d5 CMAB |
52 | however, git checks the SUDO_UID environment variable that sudo creates |
| 53 | and will allow access to the uid recorded as its value in addition to | |
| 54 | the id from 'root'. | |
| ae9abbb6 CMAB |
55 | This is to make it easy to perform a common sequence during installation |
| 56 | "make && sudo make install". A git process running under 'sudo' runs as | |
| 57 | 'root' but the 'sudo' command exports the environment variable to record | |
| 58 | which id the original user has. | |
| 59 | If that is not what you would prefer and want git to only trust | |
| 6b11e3d5 | 60 | repositories that are owned by root instead, then you can remove |
| ae9abbb6 | 61 | the `SUDO_UID` variable from root's environment before invoking git. |