phorge'
Open, NormalPublic
Actions

Assigned To

None

Authored By

	valerio.bozzolan
	Apr 27 2023, 08:01

Description

This is an umbrella task covering this problem and similar ones:

fatal: detected dubious ownership in repository at '/var/www/phorge'

In short:

Sometime it's difficult to detect these issues since they are just suppressed without error logs
- example: T15243
Sometime it's not easy to fix it since the .gitconfig configuration of the webserver user is often not usable
- example: T15281
The documentation does not mention anything about that

Proposed fix

At the moment, this is the proposed solution:

git config --system --add safe.directory /var/www/arcanist
git config --system --add safe.directory /var/www/phorge

Please shared a comment if that works for you.

In case, we should add that in the installation instructions.

Possible Proactive Things

D25236 Propose an update in the documentation to fix at system level
D25148 Propose a patch to discover git errors from the console, instead of having them nowhere
D25149 Propose a patch to allow the www-data user to read its own .gitconfig safe.directory stuff, so you can also fix without git config --system

Revisions and Commits

rP Phorge
	Abandoned		D25149 Config page: add $HOME to allow a gitconfig and help on "dubious ownership"
		D25236	rP8ffa6044626d Diviner: mention how to flag Arcanist and Phorge as "safe" git repos

Related Objects
Search...

Status	Assigned	Task
Open	None	T15090 CVE-2022-24765 - Multi-user Git Privilege Escalation
Open	None	T15282 Fix/avoid/simplify similar fatal: detected dubious ownership in repository at '/var/www/phorge'
Resolved	valerio.bozzolan	T15243 The /config/ page should log git errors instead of silently ignore them
Open	None	T15299 Config page runs git commands that should have an HOME to open gitconfig correctly
Open	None	T15281 $HOME missing from commands issued by ExecFuture
Resolved	valerio.bozzolan	T15298 Get the HOME of the user running the PHP webserver

Event Timeline

valerio.bozzolan created this task.Apr 27 2023, 08:01

valerio.bozzolan triaged this task as Normal priority.

valerio.bozzolan created this object in space S1 Public.

Herald added subscribers: Cigaryno, Matthew, chris and 2 others. · View Herald TranscriptApr 27 2023, 08:01

valerio.bozzolan added a subtask: T15243: The /config/ page should log git errors instead of silently ignore them.Apr 27 2023, 08:02

valerio.bozzolan added a subtask: T15281: $HOME missing from commands issued by ExecFuture.

valerio.bozzolan renamed this task from Config: understand how to avoid/simplify similar fatal: detected dubious ownership in repository at '/var/www/phorge' and similar to Fix/avoid/simplify similar fatal: detected dubious ownership in repository at '/var/www/phorge'.Apr 27 2023, 08:19

By the way it seems to me that this git security measure is completely nonsense for cases where the repository is highly-hardened and owned by root:root. I cannot imagine one single case where an user should not trust a git repository owned by root.

valerio.bozzolan mentioned this in D25148: Config page: add lovely git-related error messages in standard error log.Apr 29 2023, 22:34

valerio.bozzolan mentioned this in Q32: ExecFuture / Diffusion returns "fatal: detected dubious ownership in repository at ..." (Answer 41).Apr 29 2023, 22:58

valerio.bozzolan removed a subtask: T15281: $HOME missing from commands issued by ExecFuture.Apr 29 2023, 23:32

valerio.bozzolan added a revision: D25149: Config page: add $HOME to allow a gitconfig and help on "dubious ownership".Apr 29 2023, 23:44

valerio.bozzolan mentioned this in T15299: Config page runs git commands that should have an HOME to open gitconfig correctly.May 8 2023, 12:58

avivey removed a project: Phorge.May 9 2023, 10:42

valerio.bozzolan updated the task description. (Show Details)May 9 2023, 20:38

valerio.bozzolan updated the task description. (Show Details)May 12 2023, 10:35

valerio.bozzolan added a revision: D25236: Diviner: mention how to flag Arcanist and Phorge as "safe" git repos.May 23 2023, 09:35

valerio.bozzolan claimed this task.May 23 2023, 09:51

valerio.bozzolan updated the task description. (Show Details)

valerio.bozzolan added a project: User-valerio.bozzolan.

valerio.bozzolan moved this task from Backlog to PingDeath 🌚 on the User-valerio.bozzolan board.

valerio.bozzolan mentioned this in rP83edbffd521d: Config page: add lovely git-related error messages in standard error log.Jun 10 2023, 11:21

valerio.bozzolan closed subtask T15243: The /config/ page should log git errors instead of silently ignore them as Resolved.

avivey added a parent task: T15090: CVE-2022-24765 - Multi-user Git Privilege Escalation.Jun 12 2023, 07:41

jdelker subscribed.Jun 13 2023, 12:42

valerio.bozzolan added a commit: rP8ffa6044626d: Diviner: mention how to flag Arcanist and Phorge as "safe" git repos.Jun 28 2023, 21:14

valerio.bozzolan moved this task from PingDeath 🌚 to 🔥 Trap on the User-valerio.bozzolan board.Nov 14 2023, 13:55

I ended up running this

git config --system --add safe.directory *

everything else didn't work

Help welcome.

Fix/avoid/simplify similar fatal: detected dubious ownership in repository at '/var/www/phorge'Open, NormalPublicActions