I found error log from apache2 that is fatal: unsafe repository ('/home/repon' is owned by someone else)
It happens because I have git rev-parse --symbolic-full-name --abbrev-ref HEAD' in PHP code and it looks like the new git safety change no longer allows www-data to run this git command.
git config --global --add safe.directory /homerepon does not work. Does anyone have a workaround to solve this issue?
Git version: 2.35.3
PHP version: 7.4
Apache2 version: 2.4.41
This started appearing with the release of the git 2.35.2 security update which fixes vulnerabilities described here. credits @Juan-Kabbali
Here are 4 possible solutions:
git config --global --add safe.directory /home/repon
This adds to ~/.gitconfig the safe group as shown in this example
[safe]
directory = /home/repon
sudo -u ubuntu -- git status
Note: This requires user www-data to have permission to execute the git command as user ubuntu (assuming ubuntu is the repository owner). For this to work, you will need to add a new file inside /etc/sudoers.d/ with the following contents:
www-data ALL=(ubuntu) NOPASSWD: /usr/bin/git
This may have security implications so refer to your security person first.
www-datasudo chown -R www-data:www-data /home/repon
apt install git-man=1:2.17.0-1ubuntu1 git=1:2.17.0-1ubuntu1
Note: At least on Windows, it appears that all git repositories on ejectable drives are considered unsafe and changing ownership does not seem to work.
For Windows I had to do the following:
This solution works also if you move or rename the directory afterwards. In my opinion you should prefer this solution over
git config --global --add safe.directory <repo-path>
which you have to do each time where you perform changes on the directory name. You can also adapt manually the .gitconfig file in
C:\Users\<username>\.gitconfig
once you added to the safe list.
This is because of the git safe update.
To make Git trust any directory you can run this in powershell:
git config --global --add safe.directory *
In bash you should escape the * to avoid expansion:
git config --global --add safe.directory '*'
Support for * was only added in Git 2.36 as mentioned at: https://github.blog/2022-04-18-highlights-from-git-2-36/ and by genonymous in the comments.
If you just trust one directory, you can run this command
git config --global --add safe.directory your-directory
I had a similar issue - a web application that uses git could not access the repository.
Running the suggested command (git config --global --add safe.directory /repo/path) didn't work as well, because I ran it as 'me', not as 'www-data' user.
The solution was in fact really simple - I created .gitconfig file in /var/www directory (which is home for www-data user in my case) and put
[safe]
directory = /repo/path
there.
None of the above solutions worked for me but changing the ownership of the repository did. I'm running Ubuntu 20.04.4 LTS and I ran the following command:
sudo chown -R username:group directory
I may be stating the obvious, but I think it's worth mentioning that running git config --global --add safe.directory /home/repon needs to done for the www-data user.
Problem 1: www-data's HOME directory is /var/www, so having a .gitconfig file there may be a security risk (divulging server paths / config).
Problem 2: with Apache/Ubuntu 20.04, the HOME environment variable is not defined by default (/etc/apache2/envvars unsets it) so the config is not getting picked-up (git config --global fails with fatal: $HOME not set).
I managed to fix the problem by adding the repository to git's system config, i.e. git config --system --add safe.directory /home/repon.
As a part of automation, Our scenario involved invoking one script multiple times and we don't know the workspace upfront.
So, in our case, git config --global --add safe.directory * created multiple entries in ~/.gitconfig.
git config --global --replace-all safe.directory '*' helped us ensuring no duplicate entries.
I had a similar problem, with Phabricator not being able to display the content of my repositories (git log failed because of the same reason as yours).
I could not figure out which user was running the git command, so I could not come up with a proper solution, until I realized I could edit/create a global git config file for all users.
I created the file with:
sudo vi /etc/gitconfig.
and put this inside:
[safe]
directory = /home/opt/phabricator_repo/1
directory = /home/opt/phabricator_repo/4
directory = /home/opt/phabricator_repo/5
OS: Ubuntu 20.04
This happens if you have a different user who owned the directory. For example, your git repo is located in /var/www which is owned by www-data. Now, when you are signed-in/using a non-sudo user account and you go to /var/www to perform git actions such as
$ git branch
you will get this error so make sure you have appropriate directory permission. You can change the directory ownership by running CHOWN or add your current user to the group to which the directory owner belongs to
If you are on linux and prefer explicit allow-listing, you may achieve it manually by editing the Git config, (e.g. using nano or vim). Just put the folders allow-list into the [safe] section of the config file:
$ nano ~/.gitconfig
And here is a python script to prepare the allow-list:
from glob import glob
def println(my_list):
print("\n".join(map(str, my_list)))
git_folders_list = sorted(glob("~/git/*", recursive=True))
println(["directory = " + d for d in git_folders_list])
I had this problem on windows with Sublime Merge, I was trying to apply some solutions mentioned here, they didn't work so I said: if the problem is with the folder I must create a new one, so copy and paste the project folder, delete the old one, rename the copy by the old name and that was it!. I guess this should work on linux too and when making the copy of the project folder it is created with the correct owner.
Changing the owner of the top level directory fixed it.
Running Laravel on a local Ubuntu LAMP stack, my setup includes the command
sudo chown -R www-data /var/www/dirname
But with www-data owning the dirname, git gave the above error. To fix it, I only had to change the owner of the top level dirname, and the .git directory:
sudo chown myUserName /var/www/dirname
sudo chown -R myUserName /var/www/dirname/.git
In addition to the accepted answer, for those who are getting "error: wrong number of arguments, should be 2" under Windows, use double quotation marks instead of single quotes when providing the directory argument.
e.g.:
git config --global --add safe.directory "D:/Source/Repos/SampleProject"
sudo chown -R [username]:[group directory]
that really works for me (macbook air m1)
This was really frustrating.
Adding to the gitconfig worked, but who wants to do that seemingly every directory?! Craziness!
For me, the answer:
---> Don't use sudo!
For many cases, using sudo doesn't hurt, and it can be habitual if you are moving between things your user can touch, and things needing more access.
If my user created a repo and then I used "sudo git...", I got the error. I also had the "sudo git..." part in an alias, so it wasn't obvious that I was even using it.
Alongside @Huber Thomas answer for Windows I had to use Powershell/CMD since I had a bunch of files in an scm folder I'd moved from one location to another. The TAKEOWN command handled this well (if a little slowly).
takeown /f . /r /d YThis will recursively work through all folders at your current folder and set the ownership to the logged in user (presumably you).
