Bug report incorrectly originally posted in the forum as When --git-dir is not in --work-tree.
Simple test case:
joey@darkstar:~/src/git-annex>cd /tmp
joey@darkstar:/tmp>mkdir foo
joey@darkstar:/tmp>cd foo
joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles --work-tree=`pwd` init
Initialized empty Git repository in /tmp/foo/.dotfiles/
joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles --work-tree=`pwd` annex init
init
git-annex: Git refuses to operate in this repository,
probably because it is owned by someone else.
To add an exception for this directory, call:
git config --global --add safe.directory /tmp/foo
failed
And --debug shows:
[2022-09-20 14:17:56.238686901] (Utility.Process) process [1284622] read: git ["config","--local","--list"]
[2022-09-20 14:17:56.240836887] (Utility.Process) process [1284622] done ExitFailure 128
[2022-09-20 14:17:56.24107763] (Git.Config) config output: fatal: --local can only be used inside a git repository
So passing --git-dir to that command will make it succeeed. The problem though is that passing --git-dir to that command also bypasses git's fix for CVE-2022-24765. The command would even succeed if the directory were owned by someone else then.
joey@darkstar:/tmp/foo>sudo chown -R root.root .
[sudo] password for joey:
joey@darkstar:/tmp/foo>git --git-dir=`pwd`/.dotfiles config --local --list
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
core.worktree=/tmp/foo
joey@darkstar:/tmp/foo>git config --local --list
fatal: --local can only be used inside a git repository
But, if the user runs git-annex with an explicit --git-dir, it's actually ok for git-annex to bypass the CVE-2022-24765 check. Because --git-dir actually bypasses that check.
So, the fix for this seems like it will involve it remembering
when the git repo was originally specified using --git-dir (or GIT_DIR
),
and if so, guardSafeToUseRepo can skip the check, or pass --git-dir to
git config --local --list
.