After updating git to
v2.35.2.windows.1 I’m getting the following error:
fatal: unsafe repository (‘F:/GitHub/my-project’ is owned by someone else)
To add an exception for this directory, call:
git config –global –add safe.directory F:/GitHub/my-project
I’ve tried adding the parent directory of my projects to .gitconfig but it doesn’t work.
directory = F:/GitHub/
directory = F:/Private/
- Is there a workaround for this?
- What does it actually mean by “‘x’ is owned by someone else”?
I don’t want to add every single project I’m working on to the .gitconfig file.
As far as .gitconfig is concerned user.name and user.email are the same.
This seems to be related to this announcement of a vulnerability: https://github.blog/2022-04-12-git-security-vulnerability-announced/
I think it has less to do with your email, and more with the owner of the directories on your filesystem. Is the user you’re currently logged in with also the owner of the folder? How about the parent folder? Also, are you invoking git from within the repository directory? The update is only a few hours old, so I guess things are still in flux.
For now, as the message from git suggests, execute
git config --global --add safe.directory F:/GitHub/my-project
and make sure you are calling
git from within
F:/GitHub/my-project for now.
EDIT: As we found out in the comments below, the owner of the parent of the directory containing the
.git folder (the git repository) is the issue.
Cloning the project anew is a platform-independent way to make sure you are the owner.
I ran into the same problem using flutter on Linux, which on my distro was installed in
/opt/flutter. I am not working as root, thus I run into the same problem. Running
git config --global --add safe.directory /opt/flutter did indeed fix the problem for me.
Longer edit: Clarification
Going through the post about the vulnerability again after a good night’s sleep, I think a bit of clarification is in order. I’ll leave the rest of the answer as is.
Let’s look at the following simple directory structure.
/home/ ├─ tommy/ │ ├─ .git/ │ ├─ rental_space/ │ │ ├─ mary/ │ │ │ ├─ projects/ │ │ │ │ ├─ phone_app/ │ │ │ │ │ ├─ .git/ │ │ ├─ anthony/
In this case, the user
tommy owns his own directory under
/home, but (for some reason) rents out space to other users, in this case
mary, by mistake, were to execute
git in her directory, but outside of her
phone_app project, then old
git would go up the directory tree to search a
.git repository. The first it finds is the one from
/home/tommy/.git. This is a security risk, because another user, in this case, anyone that can act as
tommy, can affect
mary‘s execution of git and possibly cause trouble.
From Git v2.35.2 and onward, the traversal will stop as soon as the directory entered belongs to a user other than
/home/tommy/rental_space/mary/projects, then git will check in
projects, but find no
.git. It will go up one directory, check-in
mary, but again find no
.git. Then it will again go up, but
rental_space belongs to
mary. The new git version will stop here and print the message we saw in the question.
Adding the directory
/home/tommy/rental_space to the
safe.directory a variable would allow git to proceed but is, as explained, a security risk.
I used a Linux-like directory directory structure here, but the same is true on Windows.