New git security policy safe.directory (eg: 1.16.6 docker image) makes pushing fails

[Nuklon]

Description

Since upgrading to 1.16.6, every push fails with the following error:

git -c diff.mnemonicprefix=false -c core.quotepath=false --no-optional-locks push -v origin master:master
fatal: credential-cache unavailable; no unix socket support
POST git-receive-pack (2733 bytes)
remote: 
remote: Gitea: Internal Server Error        

In docker console this is logged:

Failed to open repository: Git/Data Error: exit status 128 - fatal: unsafe repository ('/data/git/repositories/git/data.git' is owned by someone else)

Downgrading to 1.16.5 makes it work again. UI works in 1.16.6 and also allows me to browse the files in this repository (or any other, all have this push error).

Gitea Version

1.16.6

Can you reproduce the bug on the Gitea demo site?

No

How are you running Gitea?

Windows Server 2022 + Docker. Windows 10 + Docker has the same problem.

[silverwind]

Related: https://github.blog/2022-04-12-git-security-vulnerability-announced/

What is the ownership of /data/git/repositories and does it differ from the user that is used to run git?

[Nuklon]

Related: https://github.blog/2022-04-12-git-security-vulnerability-announced/

What is the ownership of /data/git/repositories and does it differ from the user that is used to run git?

It's running under Docker and it's created by Docker. Ownership just seems the default inherited stuff from Windows.

[silverwind]

Maybe it's something specific to Windows, but I doubt it. You could check by obtaining a shell inside the container.

I guess we either need to fix file permissions or perform a workaround using git config --global --add safe.directory /data/git as part of the docker build.

[Nuklon]

Here is the output from ls -l inside docker:

/data/git # ls -l
total 0
drwxrwxrwx    1 root     root             0 Nov 23 19:24 lfs
drwxrwxrwx    1 git      git              0 Feb  8 12:11 repositories

Also all repositories have git as owner.

[silverwind]

Can you also show permissions on /data/git/repositories/git/data.git and the parent directories up to /data/git?

[Nuklon]

Here:

/data/git/repositories/git/data.git # ls -l
total 26
-rwxr-xr-x    1 git      git             23 Mar 18 10:20 HEAD
drwxrwxrwx    1 root     root             0 Mar 18 10:15 branches
-rwxr-xr-x    1 git      git             86 Mar 18 10:15 config
-rwxr-xr-x    1 root     root            73 Mar 18 10:15 description
drwxrwxrwx    1 root     root          8192 Mar 18 10:15 hooks
drwxrwxrwx    1 root     root             0 Apr 14 08:40 info
drwxrwxrwx    1 git      git          16384 Apr 14 08:40 objects
drwxrwxrwx    1 git      git              0 Mar 18 10:15 refs

/data/git/repositories/git # ls -l
total 76
drwxrwxrwx    1 git      git           4096 Feb 28 13:48 old.git
drwxrwxrwx    1 git      git           4096 Apr 14 08:40 data.git
(cut down this list, all repos are the same except for the name / date)

/data/git/repositories # ls -l
total 4
drwxrwxrwx    1 git      git           4096 Apr  1 14:43 git

/data/git # ls -l
total 0
drwxrwxrwx    1 root     root             0 Nov 23 19:24 lfs
drwxrwxrwx    1 git      git              0 Feb  8 12:11 repositories

[silverwind]

Hmm, this mix of git/root ownership looks odd, but it's probably not the cause of the error. owned by someone else implies the git process runs as someone else besides git which I think should not be possible if it's started as a child process of gitea ran as git.

[lunny]

Which image did you use? The rootless one?

[Nuklon]

Hmm, this mix of git/root ownership looks odd, but it's probably not the cause of the error. owned by someone else implies the git process runs as someone else besides git which I think should not be possible if it's started as a child process of gitea ran as git.

Also the case with 1.16.5, which works OK. Same "structure" is created on my local machine.
What's also odd is that the web-UI works fine and can browse the files correctly, shouldn't that also fail then? Not sure how that's read.

Which image did you use? The rootless one?

No, the normal one. image: gitea/gitea:1.16.5

[silverwind]

I think the issue is that git runs as root, but files are for some reason owned by git which the git 2.35.2 and above with the fix see as "unsafe". Did you ever run the rootless image before?

As for a fix, I see two options:

• adjust safe.directory which should restore behaviour with git versions before 2.35.2 but there might still be issues with writing files when a users switches from rootful to rootless image. git 2.36.0 added a * option to regard all directories as "safe" and I think that would be feasible for the docker image as it's essentially a single-user system.
• chown all files to the user that will run the app, this has the drawback of impacting startup performance with many repos but will allow switching between rootless and rootful images without issues.

[zeripath]

Hmm, this mix of git/root ownership looks odd, but it's probably not the cause of the error. owned by someone else implies the git process runs as someone else besides git which I think should not be possible if it's started as a child process of gitea ran as git.

In fact the lfs directories being owned by root imply that the gitea binary is not being run as the git user. Which is highly abnormal and deeply suspect.

I think we need more information here.

What is your docker compose file? How are you running git? How are you mapping the repositories on to docker?

How are you pushing? Over HTTP or SSH?

Why are these git repositories partially owned by root and partially by git? That is going to cause HUGE problems and I'm kinda surprised that this has ever worked.

[Nuklon]

Did you ever run the rootless image before?

No, never, only the normal git image.

What is your docker compose file?

version: "3"

services:
  gitea:
    image: gitea/gitea:1.16.5
    restart: always
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - DISABLE_REGISTRATION=true
      - REQUIRE_SIGNIN_VIEW=true
      - LOGIN_REMEMBER_DAYS=31
      - SESSION_LIFE_TIME=2678400
      - APP_NAME=Gitea
      - DISABLE_SSH=true
      - SECRET_KEY=redacted
      - ROOT_URL=https://redacted.com:4040/
    restart: always
    volumes:
      - ./data/git:/data/git
      - ./data/gitea:/data/gitea
    ports:
      - "3000:3000"

How are you running git? How are you mapping the repositories on to docker?

See above.

How are you pushing? Over HTTP or SSH?

HTTPS.

Why are these git repositories partially owned by root and partially by git? That is going to cause HUGE problems and I'm kinda surprised that this has ever worked.

No idea, in 1.16.5 this works OK. What should it be owned by? I can try chown.

[Nuklon]

Alright, I've been further testing this out. When starting gitea (restart docker), everything is on root. I tried to chown to git user, but everything stays on root. On 1.16.5 when pushing, some files and directories get changed from root to git. On 1.16.6 everything stays on root.

[maxiorel]

Yeah, I'm having the same problem after update running Gitea in Docker on my Synology NAS.

[kruechten]

I can confirm the bug as well. No Push/Pull possible (unsafe repository ... is owned by someone else).

Running on Ubuntu Server I installed gitea via snap. As this auto-updates applications (which I did not know), today all our repositories were producing an error 500.

Reverting to the previous version (1.16.5) via "snap revert gitea" fixed the problem.

[maxiorel]

In my case, chown was changed to 1026:users instead of git:git in some repositories. Login to SSH and change them back to git:git solved the issue.

[Jimskapt]

Same issue for me on Windows Server with Gitea 1.16.6 (amd64) and git-scm 2.36.0 on only one (legacy from Gogs) repository.

Also have an Error 500 when open it in Gitea web UI. There is error in Gitea logs about git config --global --add safe.directory C:/[...]/repositories/user/my_repo.git.

Unlike other repositories which are OK, in advanced security of the folder of the broken repo, the owner (Propriétaire in french) of folder has changed, it was my local user account, instead the local administrators group/account.

(Administrator = Administrateur in french)

Changing it solves my issue.

Hope it helps !

[dalito]

@Jimskapt - I see the same on windows server but it is clearly linked to git-scm 2.36.0 vs. 2.35.1. The version of gitea does not matter (I am using gitea-1.16.6). With git-scm 2.35.1 all repos can be opened, but with 2.36.0 accessing older ones gives a 500 error.

[Jimskapt]

@Jimskapt - I see the same on windows server but it is clearly linked to git-scm 2.36.0 vs. 2.35.1. The version of gitea does not matter (I am using gitea-1.16.6). With git-scm 2.35.1 all repos can be opened, but with 2.36.0 accessing older ones gives a 500 error.

I confirm. I've tried to revert back to some previous versions of Gitea (and some previous data backups) but keep git-scm unchanged, and still have the issue 😉

[luwol03]

Quick question, is this title really correct? From what I read its about git and not docker. So I suggest changing it.

[silverwind]

We should probably just add git config --global --add safe.directory '*' to the docker build to workaround and then later investigate why these uid mismatches occur in the first place.

[zeripath]

I seriously suspect that this an issue to do with mapping of the drives and ownership of the gitea-repositories in the container, as compared to that on the host. Gitea and Git in the container needs all of its repos owned by the user it is running under - often the git user (on the container).

The first step would be to ensure that ALL of Gitea's files and repositories are owned by the user running Gitea (on the container). You need to check that the mapping of the Gitea user from the container to the host is correct. There should be an option in your compose file relating to users and mapping and docker configuration to ensure that users are appropriate mapped across.

@Nuklon your ls output was that on container or on the host? The /data/git implies it was on the container...

What user is running /usr/local/bin/gitea on the container? The change to root (if on the container) implies that it is root - but running gitea as root is a bad idea and should be explicitly disallowed.

[Nuklon]

@Nuklon your ls output was that on container or on the host? The /data/git implies it was on the container...

Container, I run Windows as host so no ls :) Previous versions worked OK (and still work OK).

What user is running /usr/local/bin/gitea

git

[jonyrh]

WinServer 2019 + gitia 1.16.6 amd64 (with out gogit) + git 2.36.0.windows.1 = Error 500 in Web UI or error push 128
solution:
add to C:\Program Files\Git\etc\gitconfig

[safe]
	directory = *

[jonyrh]

@techknowlogick
After update gitia 1.16.5 ->1.16.6 and git 2.34 -> 2.36 i get push error 128 to log and error 500 on webui.
If downgrate only git then errors is missing.
If you want using new git 2.36, you must add to global config safe path or mask "*"

PS: #19492 - loop link to here again!

[HammyHavoc]

Got this problem on Gitea running as a Docker container on Linux on v1.16.7. Tried adding the repositories to global via the CLI for the container, but doesn't seem to change behaviour from Gitea. However, the line is definitely in the global config, have confirmed it.

Also tried adding git config --global --add safe.directory '*', and whilst it updates the global config too, doesn't seem to have any effect.

On a whim, I decided to try manually adding the lines to /mnt/cache/appdata/gitea/git/.gitconfig, and it works again, but the wildcard asterisk doesn't, only the repositories individually.

Not sure what the problem is.

[silverwind]

Also tried adding git config --global --add safe.directory '*', and whilst it updates the global config too, doesn't seem to have any effect.

That's probably because git config --global writes the current user's global config, so if the gitea process runs with a different user, it will have no effect. So it needs to be executed by the user running gitea.

git config --system --replace-all safe.directory '*' should work in all cases.

[zeripath]

These problems are caused because git now requires that the repositories it is run in are owned by the user that runs git.

In fact, Gitea has always required its repositories to be owned by the user that runs Gitea. That you were able to run with these configurations before was simply due to permissive permissions or failed ownership mapping.

If you set up the user mapping correctly in docker these problems should go away and you will not require safe.directory to be set.

[PKizzle]

At least for Kubernetes it is not possible to change the UID mapping of the git user. The current mapping system only allows for processes (gitea) to be forced to run using a certain UID and GID. However, this does not change the UID or GID of the git user, which is permanently set during the image building process. Since I am using an NFS mapped volume for the git repositories and currently no plugin allows for UID mapping (kubernetes-sigs/nfs-subdir-external-provisioner#173), I have to alter the Dockerfile in order to permanently set the UID and GID of the git user to match with the NFS config. This is not really a great solution since it prevents me from using any official images and I have to build the image myself.

The other solution of using an init script to alter the UID and GID of the git user at startup requires root permissions, which are not allowed due to a security policy in the namespace I run gitea in.

Disabling the git safe directoy check seems to be the preferred solution here until there are better NFS plugins for Kubernetes or another solution is found.

[zeripath]

In the docker you can set the chosen $USER, $USER_GID and $USER_UID through the environment this changes the user that gitea will run as.

gitea/docker/root/usr/bin/entrypoint

Lines 9 to 31 in 1d04e86

	if [ "${USER}" != "git" ]; then
	# rename user
	sed -i -e "s/^git\:/${USER}\:/g" /etc/passwd
	fi
	if [ -z "${USER_GID}" ]; then
	USER_GID="`id -g ${USER}`"
	fi
	if [ -z "${USER_UID}" ]; then
	USER_UID="`id -u ${USER}`"
	fi
	## Change GID for USER?
	if [ -n "${USER_GID}" ] && [ "${USER_GID}" != "`id -g ${USER}`" ]; then
	sed -i -e "s/^${USER}:\([^:]*\):[0-9]*/${USER}:\1:${USER_GID}/" /etc/group
	sed -i -e "s/^${USER}:\([^:]*\):\([0-9]*\):[0-9]*/${USER}:\1:\2:${USER_GID}/" /etc/passwd
	fi
	## Change UID for USER?
	if [ -n "${USER_UID}" ] && [ "${USER_UID}" != "`id -u ${USER}`" ]; then
	sed -i -e "s/^${USER}:\([^:]*\):[0-9]*:\([0-9]*\)/${USER}:\1:${USER_UID}:\2/" /etc/passwd
	fi

In the rootless I think you can just use the -u param of docker run

[Nuklon]

In fact, Gitea has always required its repositories to be owned by the user that runs Gitea. That you were able to run with these configurations before was simply due to permissive permissions or failed ownership mapping.

It's just default stuff, I haven't changed anything and it's not working.

[PKizzle]

In the rootless I think you can just use the -u param of docker run

That will only change the UID of the process not of the git user 😢

[zeripath]

The UID of the process is all that matters.

[zeripath]

In fact, Gitea has always required its repositories to be owned by the user that runs Gitea. That you were able to run with these configurations before was simply due to permissive permissions or failed ownership mapping.

It's just default stuff, I haven't changed anything and it's not working.

You definitely have some configuration.

I think it's very clear that you must be mounting some volumes, otherwise you would not be seeing this.

The mapping of the uids/gids in those volumes to docker is resulting in Gitea's repositories not being owned by the Gitea user.

git is now enforcing that these repositories have to be owned by the running process.

---

There is a mismapping - for whatever reason.

That leaves the following solutions:

• Use the environment variables above to make Gitea run as the correct user and group
• Use docker's userns mapping
• If you're using ntfs you may need to write a user remapping file for that when mounting.
• NFS will have something similar
• For Samba/CIFS you will likely need to look at the uid= and gid= settings.

If those are too difficult or not successful:

• Have you tried editing (in the container) /data/git/.gitconfig to add:

[safe]
	directory = *

• Or have you ran:

docker exec -it -u git <YOUR_CONTAINER_NAME> bash -i -c 'git config --global --add safe.directory "*"'

---

Now, we as a project are considering adding that safe.directory setting by default - but we need to be clear why we're needing to add this and that it actually works.

[Nuklon]

Of course I am mounting volumes. My docker-compose file is as follows (basically from https://docs.gitea.io/en-us/install-with-docker/#basics):

version: "3"

services:
  gitea:
    image: gitea/gitea:1.16.5
    restart: always
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - DISABLE_REGISTRATION=true
      - REQUIRE_SIGNIN_VIEW=true
      - LOGIN_REMEMBER_DAYS=31
      - SESSION_LIFE_TIME=2678400
      - APP_NAME=Gitea
      - DISABLE_SSH=true
      - SECRET_KEY=REDACTED
      - ROOT_URL=REDACTED
    restart: always
    volumes:
      - ./data/git:/data/git
      - ./data/gitea:/data/gitea
    ports:
      - "3000:3000"

I have nothing changed in the container.

Have you tried editing (in the container) /data/git/.gitconfig to add:

Yes, that is not working. Specifying the full path in /etc/gitconfig does work, similar to #19455 (comment). I think git needs to be updated to allow wildcard support as the one shipped with image is 2.30.3 while wildcard is only added in 2.35.1 (?).

[zeripath]

    environment:
      - USER_UID=1000
      - USER_GID=1000

means that Gitea will be running as UID:1000 in the container.

That means repositories in that /data/git must be owned by UID:1000 in the container.

Let's work through this step-by-step (people running docker for windows can probably just jump to step 4 - presumably this includes you @Nuklon.)

1. Perhaps, the ownership of these files is just incorrect because they're not owned by UID 1000 in the container and a simple chown will suffice:

docker exec -it  <YOUR_CONTAINER_NAME> bash -i -c 'chown -R 1000:1000 /data/git'

(I would hope that this has already been tried.) After running this check if the chown has applied, if so stop and try again. If you're getting problems then you may need to chown /data/gitea too, or change where your temporary files are being created.

2. For whatever reason this chowning is not allowed and chowning things on the host might succeed? Well in the absence of further information (e.g. userns remapping) UID: 1000 in the container IS UID: 1000 on the host:

sudo chown -R 1000:1000 /data/git

(I don't think this would succeed where 1. above does not work but it's worth a try.) Again check if this has succeeded...

3. An alternative to both of these is to set the above environment variables correctly to your needs.

4. The host /data/git is actually mounted on a weird filesystem that doesn't actually properly map uid/gid. e.g. SMBFS/CIFS, NTFS, or NFS.

To solve this means that you need to look at how you're mounting these drives in your host system.

• If you're using ntfs you may need to write a user remapping file for that when mounting. http://manpages.ubuntu.com/manpages/trusty/man8/ntfs-3g.usermap.8.html
• NFS will have something similar, see: https://serverfault.com/questions/514118/mapping-uid-and-gid-of-local-user-to-the-mounted-nfs-share
• For Samba/CIFS you will likely need to look at the uid= and gid= settings.

uid=<uid-spec>: sets the uid that will own all files on the mounted filesystem. It may be specified as either a username or a numeric uid. This parameter is ignored when the target server supports the CIFS Unix extensions (which samba does per default unless you disable it).
gid=<group-spec>: sets the gid that will own all files on the mounted filesystem. It may be specified as either a groupname or a numeric gid. This parameter is ignored when the target server supports the CIFS Unix extensions.

• Now in your case @Nuklon I think you're running docker for windows and simply using the local driver. This is creating dumb CIFS shares but without the option of setting options - (WHY? DOCKER WHY?). If you were to switch to CIFS it you could set options in your docker compose file:

services:
  gitea:
    image: gitea/gitea:1.16.5
    restart: always
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - DISABLE_REGISTRATION=true
      - REQUIRE_SIGNIN_VIEW=true
      - LOGIN_REMEMBER_DAYS=31
      - SESSION_LIFE_TIME=2678400
      - APP_NAME=Gitea
      - DISABLE_SSH=true
      - SECRET_KEY=REDACTED
      - ROOT_URL=REDACTED
    restart: always
    volumes:
      - git-dir:/data/git
      - gitea-dir:/data/gitea
    ports:
      - "3000:3000"
 volumes:
  git-dir:
    driver_opts:
      type: cifs
      o: "uid=1000,gid=1000"
      device: "//localhost/$C/PATH/TO/DATA/GIT"
  gitea-dir:
    driver_opts:
      type: cifs
      o: "uid=1000,gid=1000"
      device: "//localhost/$C/PATH/TO/DATA/GITEA"

5. We've just merged Import git from alpine 3.16 repository as 2.30.4 is needed for safe.directory = '*' to work but alpine 3.13 has 2.30.3 #19876 which will put the latest version of git into the release/v1.16 docker. You can get the latest head of 1.16 using the tag 1.16-dev which tracks the release/v1.16 branch. Then safe.directory = * should work.

6. If you won't use the 1.16-dev tag, you can (temporarily) override the command: in the docker compose to a script in, say /data/gitea that is something like:

#!/bin/bash
apk add git --repository=http://dl-cdn.alpinelinux.org/alpine/v3.16/main
/bin/s6-svscan /etc/s6

Then on startup git will be updated from alpine 3.16 and a .gitconfig containing safe.directory=* should work.

But in reality you should get it so that repos are owned by the Gitea user - and assuming you're a customer of Docker-Desktop you should pressure docker to make this easier to do on Windows.

Honestly I've just spent far too long learning about how Docker - a thing I barely use - mounts volumes on Windows - an operating system I don't use.

[Nuklon]

Just going by the steps.

1. Already tried, see above. This doesn't work as folders stay at root.
2. Host is Windows so no chown. Tried experimenting with Windows access rules (even set to allow everything), doesn't work.
3. This is recommended setting from docs. Looking at /etc/passwd 1000 is git user, so I would assume that's correct. I can try to change both to UID 0 (root user) but not sure if that's a good idea.
4. I don't use Samba/CIFS, it's just mapped to a folder. It worked fine before.

I'll try to find some time next week to give dev a try.

[zeripath]

people running docker for windows can probably just jump to step 4 - presumably this includes you @Nuklon.

• Now in your case @Nuklon I think you're running docker for windows and simply using the local driver. This is creating dumb CIFS shares but without the option of setting options - (WHY? DOCKER WHY?). If you were to switch to CIFS it you could set options in your docker compose file:

services:
  gitea:
    image: gitea/gitea:1.16.5
    restart: always
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - DISABLE_REGISTRATION=true
      - REQUIRE_SIGNIN_VIEW=true
      - LOGIN_REMEMBER_DAYS=31
      - SESSION_LIFE_TIME=2678400
      - APP_NAME=Gitea
      - DISABLE_SSH=true
      - SECRET_KEY=REDACTED
      - ROOT_URL=REDACTED
    restart: always
    volumes:
      - git-dir:/data/git
      - gitea-dir:/data/gitea
    ports:
      - "3000:3000"
 volumes:
  git-dir:
    driver_opts:
      type: cifs
      o: "uid=1000,gid=1000"
      device: "//localhost/$C/PATH/TO/DATA/GIT"
  gitea-dir:
    driver_opts:
      type: cifs
      o: "uid=1000,gid=1000"
      device: "//localhost/$C/PATH/TO/DATA/GITEA"

Or do 5-6.

---

I've spent literally HOURS looking into this, writing "it worked before" is beyond infuriating. I know it worked before.

We already know why it's not working. Git has changed to disallow using repositories that are not owned by the process that is running it and your configuration is not mounting volumes with the correct ownership.

There are two ways of solving this:

1. Fix your configuration so that repositories are mapped to the correct user. It matters not if it was "working before" - the reality is that ownership of files isn't being properly mapped and if something had depended on ownership it wouldn't have worked.
2. Override git's warning with the safe.directory=* option. Of course the first version of git to implement this new feature did not include this and our default package doesn't include it. We're forced to run an older version of alpine because if we don't we'll break every docker <20.10.6. We've explicitly updated git in the release/v1.16 to allow this to happen but it doesn't solve the above problem.

One useful thing I've learnt from this is that we simply cannot trust file ownership on docker for windows. It's almost always going to be a lie and unhelpful to rely on simply because docker for windows has such a poor mechanism mounting volumes based on windows drives. We're going to have to make sure that we don't rely on this as if we do we're going to have explicitly un-support docker for windows. (This is of course ridiculous. Utterly and completely ridiculous.) This means that we're going to have to add safe.directory to at least our docker builds or take time to explain how to map users in our documentation.

[Nuklon]

is beyond infuriating

That wasn't meant that way, sorry. I appreciate the help here 🙂

What I don't quite understand is how in older versions git is changing ownership from root to git user on push, but that chown isn't working. What is git doing?

[Nuklon]

I have updated to 1.16-dev and added

[safe]
	directory = *

to /data/git/.gitconfig

This works! 🎉

[Nuklon]

It also seems to work in WSL2 without adding safe directory (YMMV). WSL1 I could only get to work with the above change.