On Wed, Jul 31, 2024 at 09:23:49AM -0700, Junio C Hamano wrote:

quoted

And then upload-pack
could be free to drop the ownership check. Certainly a lot of people
have complained about it (I had actually thought we reverted it in
v2.45.2, but that was just the extra hooks defense-in-depth; so again, I
may be getting confused about the extra value of the enter_repo()
ownership check that came at the same time).

As enter_repo() is about the protocol driver thing and not about
normal users working inside a repository, calls to it appear only in
receive-pack, upload-pack, upload-archive, http-backend, and daemon.

Among them, upload-pack is the only thing we promise that is safe to
work even in a hostile repository?  If we push into a repository
over the local transport, we would trigger post-receive hook as
ourselves, which we would probably not want.  The same story goes
for daemon, http-backend, and upload-archive.

Yes, upload-pack is the only safe one.

So we probably need to add another axis to the "strict" parameter
enter_repo() takes to selectively disable the ownership checks only
for upload-pack, or something like that.

Agreed.

We may want to restrict "tar.<format>.command" only to protected
configuration and then we may be able to loosen the ownership check
for the upload-archive command.

Yes, though I don't now how valuable that is in practice (versus the
regression for folks who have a custom tar.*.command in their local-repo
config).

-Peff