Thread (4 messages) 4 messages, 2 authors, 2025-03-31

Re: How to get git-daemon to work in a post-CVE world?

From: MegaBrutal <hidden>
Date: 2025-03-31 20:16:57

Konstantin Ryabitsev [off-list ref] ezt írta
(időpont: 2025. márc. 31., H, 16:53):
On Sun, Mar 30, 2025 at 10:30:00AM +0200, MegaBrutal wrote:
quoted
Hi Everyone,

I'm new to the list, just thought it's the best place to talk about
Git. I'm running a public read-only git server with git-daemon. I've
recently noticed that my repos can't be cloned and found that
particular CVE which made git to verify the owners of the git repos.

fatal: detected dubious ownership in repository at '/srv/git/mgsautils.git'

The feasible solution is to declare the directory safe in .gitconfig.
You can set global values in /etc/gitconfig, e.g.:

    [safe]
      directory = /srv/git/*
Thanks! While it is much more convenient to set it in one global
/etc/gitconfig than individual home directories, I encountered the
following problems:

1. It doesn't do anything with the other error I get, when the
problematic directory is '.'. I still keep getting that error message.
2. Git daemon doesn't seem to resolve the '*' wildcard, i.e. with the
wildcard I get the original message back which complains about
'/srv/git/mgsautils.git', despite it should be covered by
'/srv/git/*'. When I supply the full path, however, the error message
is still about '.'.

I even performed a whole Ubuntu release upgrade to get a new version
of Git, but 2.43.0 acts the same. Seems like git-daemon is more
stricts than plain git – what might be the problem?
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help