I found an error log from apache2 that is fatal: unsafe repository (‘/home/repon’ is owned by someone else) It is because I have ‘git rev-parse –symbolic-full-name –abbrev-ref HEAD’ in PHP code and looks like a new git safety change(https://github.blog/2022-04-12-git-security-vulnerability-announced/) no longer allows www-data run this git command, git config –global –add safe.directory /homerepon does not work, anyone has a workaround here to solve this issue? git version: 2.35.3 php version: 7.4 apache2 version: 2.4.41
Answer
This started appearing with the release of the git 2.35.2 security update which fixes vulnerabilities described here. credits @Juan-Kabbali
Here are 4 possible solutions:
- trust git directory (do it if you know the directory contents are safe)
git config --global --add safe.directory /home/repon
This adds to ~/.gitconfig the safe group as shown in this example
[safe]
directory = /home/repon
- run the command as the correct user, for example:
sudo -u ubuntu -- git status
Note: This requires user www-data to have permission to execute the git command as user ubuntu (assuming ubuntu is the repository owner). For this to work, you will need to add a new file inside /etc/sudoers.d/ with the following contents:
www-data ALL=(ubuntu) NOPASSWD: /usr/bin/git
This may have security implications so refer to your security guy first.
- change git repository owner to
www-data
sudo chown -R www-data:www-data /home/repon
- downgrade git as a temporary solution. For example in Ubuntu:
apt install git-man=1:2.17.0-1ubuntu1 git=1:2.17.0-1ubuntu1
Note: At least on Windows, it appears that all git repositories on ejectable drives are considered unsafe and changing ownership does not seem to work.
