kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity
git/Documentation
History
Glen Choo 779ea9303a Documentation: define protected configuration 
For security reasons, there are config variables that are only trusted
when they are specified in certain configuration scopes, which are
sometimes referred to on-list as 'protected configuration' [1]. A future
commit will introduce another such variable, so let's define our terms
so that we can have consistent documentation and implementation.

In our documentation, define 'protected configuration' as the system,
global and command config scopes. As a shorthand, I will refer to
variables that are only respected in protected configuration as
'protected configuration only', but this term is not used in the
documentation.

This definition of protected configuration is based on whether or not
Git can reasonably protect the user by ignoring the configuration scope:

- System, global and command line config are considered protected
  because an attacker who has control over any of those can do plenty of
  harm without Git, so we gain very little by ignoring those scopes.

- On the other hand, local (and similarly, worktree) config are not
  considered protected because it is relatively easy for an attacker to
  control local config, e.g.:

  - On some shared user environments, a non-admin attacker can create a
    repository high up the directory hierarchy (e.g. C:\.git on
    Windows), and a user may accidentally use it when their PS1
    automatically invokes "git" commands.

    `safe.directory` prevents attacks of this form by making sure that
    the user intended to use the shared repository. It obviously
    shouldn't be read from the repository, because that would end up
    trusting the repository that Git was supposed to reject.

  - "git upload-pack" is expected to run in repositories that may not be
    controlled by the user. We cannot ignore all config in that
    repository (because "git upload-pack" would fail), but we can limit
    the risks by ignoring `uploadpack.packObjectsHook`.

Only `uploadpack.packObjectsHook` is 'protected configuration only'. The
following variables are intentionally excluded:

- `safe.directory` should be 'protected configuration only', but it does
  not technically fit the definition because it is not respected in the
  "command" scope. A future commit will fix this.

- `trace2.*` happens to read the same scopes as `safe.directory` because
  they share an implementation. However, this is not for security
  reasons; it is because we want to start tracing so early that
  repository-level config and "-c" are not available [2].

  This requirement is unique to `trace2.*`, so it does not makes sense
  for protected configuration to be subject to the same constraints.

[1] For example,
https://lore.kernel.org/git/6af83767-576b-75c4-c778-0284344a8fe7@github.com/
[2] https://lore.kernel.org/git/a0c89d0d-669e-bf56-25d2-cbb09b012e70@jeffhostetler.com/

Signed-off-by: Glen Choo <chooglen@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
 		2022-07-14 15:08:29 -07:00
..
RelNotes The second batch 2022-07-13 14:54:56 -07:00
config Documentation: define protected configuration 2022-07-14 15:08:29 -07:00
howto
mergetools vimdiff: add tool documentation 2022-04-03 15:09:52 -07:00
technical Merge branch 'ac/bitmap-format-doc' 2022-07-11 15:38:50 -07:00
.gitattributes
.gitignore doc lint: make "lint-docs" non-.PHONY 2021-10-15 10:29:11 -07:00
CodingGuidelines Documentation/ToolsForGit.txt: Tools for developing Git 2022-04-21 09:50:25 -07:00
Makefile Merge branch 'ac/bitmap-format-doc' 2022-07-11 15:38:50 -07:00
MyFirstContribution.txt MyFirstContribution: drop PR description for GGG single-patch contributions 2022-05-12 18:10:00 -07:00
MyFirstObjectWalk.txt MyFirstObjectWalk: update recommended usage 2022-03-09 10:25:27 -08:00
SubmittingPatches SubmittingPatches: use more stable git.ozlabs.org URL 2022-05-11 08:19:08 -07:00
ToolsForGit.txt Documentation/ToolsForGit.txt: Tools for developing Git 2022-04-21 09:50:25 -07:00
asciidoc.conf
asciidoctor-extensions.rb
blame-options.txt Merge branch 'bs/doc-blame-color-lines' 2021-10-18 15:47:58 -07:00
build-docdep.perl
cat-texi.perl
cmd-list.perl
config.txt revert: config documentation fixes 2022-06-27 08:37:36 -07:00
date-formats.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
diff-format.txt diff-format.txt: correct misleading wording 2022-06-13 11:57:03 -07:00
diff-generate-patch.txt
diff-options.txt Merge branch 'js/diff-filter-negation-fix' 2022-02-16 15:14:30 -08:00
doc-diff
docbook-xsl.css
docbook.xsl
everyday.txto
fetch-options.txt Merge branch 'rc/fetch-refetch' 2022-04-04 10:56:23 -07:00
fix-texi.perl
git-add.txt add: implement the --sparse option 2021-09-28 10:31:02 -07:00
git-am.txt am: support --allow-empty to record specific empty patches 2021-12-15 17:04:19 -08:00
git-annotate.txt
git-apply.txt git-apply: add --allow-empty flag 2021-12-13 14:30:25 -08:00
git-archimport.txt doc: split placeholders as individual tokens 2021-10-28 09:57:09 -07:00
git-archive.txt archive-tar: use internal gzip by default 2022-06-15 13:19:47 -07:00
git-bisect-lk2009.txt
git-bisect.txt
git-blame.txt Merge branch 'bs/doc-blame-color-lines' 2021-10-18 15:47:58 -07:00
git-branch.txt branch: new autosetupmerge option 'simple' for matching branches 2022-04-29 11:20:55 -07:00
git-bugreport.txt Documentation: fix default directory of git bugreport -o 2021-09-07 14:25:13 -07:00
git-bundle.txt bundle: move capabilities to end of 'verify' 2022-03-23 13:13:59 -07:00
git-cat-file.txt Documentation: add --batch-command to cat-file synopsis 2022-04-07 13:31:54 -07:00
git-check-attr.txt
git-check-ignore.txt doc: check-ignore: code-quote an exclamation mark 2022-02-03 11:13:49 -08:00
git-check-mailmap.txt
git-check-ref-format.txt
git-checkout-index.txt checkout-index: add --ignore-skip-worktree-bits option 2022-01-13 13:49:45 -08:00
git-checkout.txt Merge branch 'js/branch-track-inherit' 2022-01-20 15:25:38 -08:00
git-cherry-pick.txt doc: express grammar placeholders between angle brackets 2021-11-09 09:39:11 -08:00
git-cherry.txt
git-citool.txt
git-clean.txt
git-clone.txt clone, submodule: pass partial clone filters to submodules 2022-02-09 15:38:36 -08:00
git-column.txt column: fix parsing of the '--nl' option 2021-08-26 14:36:27 -07:00
git-commit-graph.txt
git-commit-tree.txt
git-commit.txt Document positive variant of commit and merge option "--no-verify" 2021-10-29 11:22:56 -07:00
git-config.txt Documentation: define protected configuration 2022-07-14 15:08:29 -07:00
git-count-objects.txt
git-credential-cache--daemon.txt doc: replace "--" with {litdd} in credential-cache/fsmonitor 2022-04-06 16:06:06 -07:00
git-credential-cache.txt
git-credential-store.txt
git-credential.txt doc: fix git credential synopsis 2021-10-28 09:57:09 -07:00
git-cvsexportcommit.txt doc: express grammar placeholders between angle brackets 2021-11-09 09:39:11 -08:00
git-cvsimport.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
git-cvsserver.txt Documentation: cleanup git-cvsserver 2021-09-16 20:47:48 -07:00
git-daemon.txt
git-describe.txt
git-diff-files.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
git-diff-index.txt diff-index.txt: update raw output format in examples 2022-06-13 11:59:16 -07:00
git-diff-tree.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
git-diff.txt
git-difftool.txt
git-fast-export.txt
git-fast-import.txt
git-fetch-pack.txt builtin/fetch-pack: add --refetch option 2022-03-28 10:25:52 -07:00
git-fetch.txt fetch: fetch unpopulated, changed submodules 2022-03-16 16:08:59 -07:00
git-filter-branch.txt
git-fmt-merge-msg.txt merge: allow to pretend a merge is made into a different branch 2021-12-20 14:55:02 -08:00
git-for-each-ref.txt
git-for-each-repo.txt
git-format-patch.txt doc: git-format-patch: describe the option --always 2021-12-15 17:04:15 -08:00
git-fsck-objects.txt
git-fsck.txt doc: use three dots for indicating repetition instead of star 2021-11-09 09:39:11 -08:00
git-fsmonitor--daemon.txt doc: replace "--" with {litdd} in credential-cache/fsmonitor 2022-04-06 16:06:06 -07:00
git-gc.txt gc: simplify --cruft description 2022-06-21 08:58:04 -07:00
git-get-tar-commit-id.txt
git-grep.txt grep: add --max-count command line option 2022-06-22 13:23:29 -07:00
git-gui.txt doc: express grammar placeholders between angle brackets 2021-11-09 09:39:11 -08:00
git-hash-object.txt
git-help.txt help: add --no-[external-commands|aliases] for use with --all 2022-02-23 13:41:37 -08:00
git-hook.txt git hook run: add an --ignore-missing flag 2022-01-07 15:19:34 -08:00
git-http-backend.txt docs/http-backend: mention v2 protocol 2021-09-10 15:34:59 -07:00
git-http-fetch.txt doc: uniformize <URL> placeholders' case 2021-11-09 09:39:11 -08:00
git-http-push.txt doc: git-http-push: describe the refs as pattern pairs 2021-11-09 09:39:11 -08:00
git-imap-send.txt
git-index-pack.txt index-pack: document and test the --promisor option 2022-03-09 10:25:26 -08:00
git-init-db.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
git-init.txt init doc: --shared=0xxx does not give umask but perm bits 2021-11-09 09:39:11 -08:00
git-instaweb.txt
git-interpret-trailers.txt
git-log.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
git-ls-files.txt ls-files: support --recurse-submodules --stage 2022-02-23 16:41:55 -08:00
git-ls-remote.txt
git-ls-tree.txt ls-tree doc: document interaction with submodules 2022-04-08 11:21:11 -07:00
git-mailinfo.txt
git-mailsplit.txt
git-maintenance.txt maintenance: fix synopsis in documentation 2022-03-15 10:52:43 -07:00
git-merge-base.txt
git-merge-file.txt update documentation for new zdiff3 conflictStyle 2021-12-01 14:45:59 -08:00
git-merge-index.txt doc: use three dots for indicating repetition instead of star 2021-11-09 09:39:11 -08:00
git-merge-one-file.txt
git-merge-tree.txt
git-merge.txt Merge branch 'jc/merge-detached-head-name' 2022-01-05 14:01:30 -08:00
git-mergetool--lib.txt
git-mergetool.txt vimdiff: add tool documentation 2022-04-03 15:09:52 -07:00
git-mktag.txt
git-mktree.txt fix typo in git-mktree.txt 2022-02-02 14:50:09 -08:00
git-multi-pack-index.txt git-multi-pack-index.txt: change "folder" to "directory" 2021-10-25 11:06:56 -07:00
git-mv.txt
git-name-rev.txt name-rev: deprecate --stdin in favor of --annotate-stdin 2022-01-10 09:39:26 -08:00
git-notes.txt
git-p4.txt git-p4: improve encoding handling to support inconsistent encodings 2022-05-04 10:30:01 -07:00
git-pack-objects.txt builtin/pack-objects.c: --cruft without expiration 2022-05-26 15:48:26 -07:00
git-pack-redundant.txt doc: express grammar placeholders between angle brackets 2021-11-09 09:39:11 -08:00
git-pack-refs.txt
git-patch-id.txt
git-prune-packed.txt
git-prune.txt
git-pull.txt Merge branch 'js/retire-preserve-merges' 2021-10-18 15:47:56 -07:00
git-push.txt
git-quiltimport.txt
git-range-diff.txt
git-read-tree.txt Merge branch 'en/sparse-cone-becomes-default' 2022-06-03 14:30:33 -07:00
git-rebase.txt git-rebase.txt: use back-ticks consistently 2022-06-30 10:25:54 -07:00
git-receive-pack.txt
git-reflog.txt doc: express grammar placeholders between angle brackets 2021-11-09 09:39:11 -08:00
git-remote-ext.txt
git-remote-fd.txt
git-remote-helpers.txto
git-remote.txt builtin/remote.c: teach `-v` to list filters for promisor remotes 2022-05-09 10:53:58 -07:00
git-repack.txt builtin/repack.c: support generating a cruft pack 2022-05-26 15:48:26 -07:00
git-replace.txt
git-request-pull.txt doc: uniformize <URL> placeholders' case 2021-11-09 09:39:11 -08:00
git-rerere.txt
git-reset.txt reset: remove 'reset.refresh' config option 2022-03-23 14:39:45 -07:00
git-restore.txt update documentation for new zdiff3 conflictStyle 2021-12-01 14:45:59 -08:00
git-rev-list.txt
git-rev-parse.txt
git-revert.txt revert: optionally refer to commit in the "reference" format 2022-05-26 23:05:03 -07:00
git-rm.txt rm: add --sparse option 2021-09-28 10:31:02 -07:00
git-send-email.txt send-email docs: add format-patch options 2021-10-28 09:06:15 -07:00
git-send-pack.txt send-pack: properly use parse_options() API for usage string 2021-09-12 18:57:30 -07:00
git-sh-i18n--envsubst.txt
git-sh-i18n.txt
git-sh-setup.txt
git-shell.txt
git-shortlog.txt doc: use only hyphens as word separators in placeholders 2021-11-09 09:39:11 -08:00
git-show-branch.txt
git-show-index.txt
git-show-ref.txt
git-show.txt
git-sparse-checkout.txt Documentation: some sparsity wording clarifications 2022-04-21 23:12:39 -07:00
git-stage.txt doc: express grammar placeholders between angle brackets 2021-11-09 09:39:11 -08:00
git-stash.txt stash: implement '--staged' option for 'push' and 'save' 2021-10-18 13:09:21 -07:00
git-status.txt status: print stash info with --porcelain=v2 --show-stash 2021-10-21 17:24:30 -07:00
git-stripspace.txt
git-submodule.txt clone, submodule: pass partial clone filters to submodules 2022-02-09 15:38:36 -08:00
git-svn.txt Merge branch 'ja/doc-cleanup' 2021-12-10 14:35:03 -08:00
git-switch.txt Merge branch 'js/branch-track-inherit' 2022-01-10 11:52:54 -08:00
git-symbolic-ref.txt
git-tag.txt
git-tools.txt
git-unpack-file.txt
git-unpack-objects.txt
git-update-index.txt doc: replace "--" with {litdd} in credential-cache/fsmonitor 2022-04-06 16:06:06 -07:00
git-update-ref.txt
git-update-server-info.txt
git-upload-archive.txt
git-upload-pack.txt Merge branch 'jk/http-server-protocol-versions' 2021-09-23 13:44:47 -07:00
git-var.txt var: add GIT_DEFAULT_BRANCH variable 2021-11-03 13:25:36 -07:00
git-verify-commit.txt
git-verify-pack.txt
git-verify-tag.txt
git-version.txt documentation: add documentation for 'git version' 2021-09-14 10:05:40 -07:00
git-web--browse.txt doc: split placeholders as individual tokens 2021-10-28 09:57:09 -07:00
git-whatchanged.txt
git-worktree.txt Merge branch 'pw/worktree-list-with-z' 2022-04-04 10:56:25 -07:00
git-write-tree.txt
git.txt cli: add -v and -h shorthands 2022-03-31 15:57:10 -07:00
gitattributes.txt userdiff: add builtin diff driver for kotlin language. 2022-03-12 18:15:47 -08:00
gitcli.txt git-cli.txt: clarify "options first and then args" 2022-01-17 11:42:25 -08:00
gitcore-tutorial.txt
gitcredentials.txt doc: uniformize <URL> placeholders' case 2021-11-09 09:39:11 -08:00
gitcvs-migration.txt
gitdiffcore.txt
giteveryday.txt
gitfaq.txt
gitglossary.txt
githooks.txt hook: add 'run' subcommand 2022-01-07 15:19:34 -08:00
gitignore.txt gitignore.txt: change "folder" to "directory" 2021-10-25 11:06:56 -07:00
gitk.txt
gitmailmap.txt
gitmodules.txt
gitnamespaces.txt
gitremote-helpers.txt
gitrepository-layout.txt
gitrevisions.txt
gitsubmodules.txt doc: uniformize <URL> placeholders' case 2021-11-09 09:39:11 -08:00
gittutorial-2.txt
gittutorial.txt
gitweb.conf.txt
gitweb.txt gitweb.txt: change "folder" to "directory" 2021-10-25 11:06:57 -07:00
gitworkflows.txt doc: uniformize <URL> placeholders' case 2021-11-09 09:39:11 -08:00
glossary-content.txt glossary: describe "worktree" 2022-02-09 18:34:41 -08:00
howto-index.sh
i18n.txt
install-doc-quick.sh
install-webdoc.sh
line-range-format.txt
line-range-options.txt
lint-gitlink.perl doc lint: make "lint-docs" non-.PHONY 2021-10-15 10:29:11 -07:00
lint-man-end-blurb.perl doc lint: emit errors on STDERR 2021-10-15 10:16:57 -07:00
lint-man-section-order.perl doc lint: emit errors on STDERR 2021-10-15 10:16:57 -07:00
manpage-base-url.xsl.in
manpage-bold-literal.xsl
manpage-normal.xsl
manpage-quote-apos.xsl
manpage.xsl
merge-options.txt Document positive variant of commit and merge option "--no-verify" 2021-10-29 11:22:56 -07:00
merge-strategies.txt
object-format-disclaimer.txt
pretty-formats.txt Merge branch 'es/pretty-describe-more' 2021-12-15 09:39:48 -08:00
pretty-options.txt log: document --encoding behavior on iconv() failure 2021-10-29 14:35:59 -07:00
pull-fetch-param.txt
ref-reachability-filters.txt
rev-list-description.txt
rev-list-options.txt log: "--since-as-filter" option is a non-terminating "--since" variant 2022-04-23 09:36:07 -07:00
revisions.txt Merge branch 'tk/rev-parse-doc-clarify-at-u' 2022-07-13 14:54:55 -07:00
sequencer.txt
signoff-option.txt
texi.xsl
trace2-target-values.txt
transfer-data-leaks.txt
urls-remotes.txt doc: uniformize <URL> placeholders' case 2021-11-09 09:39:11 -08:00
urls.txt
user-manual.conf
user-manual.txt