Configure project clone directory as safe by default
Description
The change made in recent Git releases to address CVE-2022-24765 now disallows use of any git
commands under the project clone directory if the container runs as a non-root
user:
Example scenario:
- Job runs helper image for clone operation under the build directory as user X
- Job initiates build image container and the job script after successful clone
- Build image container runs as a different user Y
- Build script attempts to clone another repository via
git clone
as a dependency it requires, with its destination somewhere under the working directory (project clone directory)
The step (4) used to pass prior to use of changes introduced in Git 2.35.2.
Now, the step (4) may fail with the following, and manual safe directory .gitconfig overrides are required to workaround it:
fatal: unsafe repository ('/builds/project/group' is owned by someone else)
Note: The clones are performed by default as root
or ContainerAdmin
user through GitLab Runner's default helper images.
Proposal
- Add new Runner option
SetSafeDirectoryCheckout
- Option should be enabled by default in environments where we're okay to modify global git options.
- Option will be available for other executors, but will be disabled by default.
- When enabled, we run:
git config --global --add safe.directory /builds/group/project
Workaround options
-
The
post_clone_script
config under[[runners]]
section in each runner'sconfig.toml
could be used to apply the required command every time:[[runners]] post_clone_script = "git config --global --add safe.directory $(pwd)"
-
Alternatively, another workaround is to add the following to the
pre_clone_script
config under[[runners]]
section in each runner'sconfig.toml
:[[runners]] pre_clone_script = "git config --global --add safe.directory $CI_PROJECT_DIR"