Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Git repositories inside dev containers on git >= 2.35.2 are always reported as unsafe #7628

Closed
joaomoreno opened this issue Dec 2, 2022 · 12 comments
Assignees
Labels
bug Issue identified by VS Code Team member as probable bug containers Issue in vscode-remote containers verified Verification succeeded
Milestone

Comments

@joaomoreno
Copy link
Member

  • VSCode Version: 1.74.0-insider 493a541735b84de36b628750ba716a430669cb7f
  • Local OS Version: Windows 11
  • Remote OS Version: Linux 5.10.102.1-microsoft-standard-WSL2
  • Remote Extension/Connection Type: Containers

Steps to Reproduce:

  1. Create a new dev container from Miniconda (Python 3) on a folder with a git repo, it should pick up git version >= 2.35.2
  2. Reopen folder in that container

🐛 The git extension kicks in since git can't trust that repository due to the new git vulnerability fix.

IMO Remote Containers should automatically add the following to the copied .gitconfig:

[safe]
	directory = /workspaces/WORKSPACENAME
@joaomoreno
Copy link
Member Author

Previously suggested in #6810 (comment)

@joaomoreno
Copy link
Member Author

joaomoreno commented Dec 2, 2022

The specific command that fixes it is:

git config --global --add safe.directory /workspaces/WORKSPACE

One could add that to the postCreateCommand, but that would prevent the global .gitconfig from being copied.

One could add that to the postStartCommand, but that will still make the git extension show an error while the container is being built:

image

There's no clear winner workaround here.

@chrmarti chrmarti added bug Issue identified by VS Code Team member as probable bug containers Issue in vscode-remote containers labels Dec 2, 2022
@chrmarti chrmarti added this to the December 2022 milestone Dec 2, 2022
@chrmarti
Copy link
Contributor

chrmarti commented Dec 2, 2022

Documentation suggests that this should only trigger when the folder's owner is different from the current user. I wonder if we might reintroduce the vulnerability this is fixing if we automatically add the folder as a safe.directory.

@joaomoreno
Copy link
Member Author

There's an argument somewhere around this suggestion being specific to dev containers and their inherent strange permission conventions.

@chrmarti
Copy link
Contributor

chrmarti commented Dec 5, 2022

Could you run ls -lad . .. .git inside the container? Did you run git clone locally and then reopened in a devcontainer?

I would like to better understand how this was set up. (Detailed steps would be best.)

@joaomoreno
Copy link
Member Author

More detailed steps:

  1. In Windows, create a new folder
  2. Open it in VS Code
  3. Run Git: Initialize Repository to initialize a new git repo
  4. Run Dev Containers: Reopen in Container
  5. Pick the Miniconda (Python 3) template

🐛 Once the workspace opens and the git extension activates, it will show the error

@trullock
Copy link

trullock commented Jan 3, 2023

This is a real problem for me,

is

git config --global --add safe.directory /workspaces/WORKSPACE

the workaround?

@orthodoX
Copy link

orthodoX commented Jan 5, 2023

@trullock As mentioned here, this is the more universal command:

 "postStartCommand": "git config --global --add safe.directory ${containerWorkspaceFolder}"

@brianbucketlist
Copy link

Also having this issue, and I believe it causes the .gitconfig not to copy into my devcontainer.

I'm running WSL2 Ubuntu 20.04

@chrmarti
Copy link
Contributor

I'm adding a fix to the single container case (Docker Compose case needs more investigation) where the repository root folder is added as a safe directory in the container if the current user in the container is not the same as the owner of the repository root folder and on the local machine the current user and the owner of the repository root folder are the same.

This is available in Dev Containers 0.274.0-pre-release. Will open a new issue to investigate adding this for Docker Compose setups too.

@trullock
Copy link

Brilliant, thank you

@joaomoreno joaomoreno added the verified Verification succeeded label Jan 27, 2023
@paulfouquet
Copy link

paulfouquet commented Mar 2, 2023

@chrmarti would you please be able to link a pull request link about this change? I still have the issue using pre-release version v0.283.0:

(gdal-py3.10) root@dd5efa6807fc:/workspaces/topo-imagery# git status
fatal: detected dubious ownership in repository at '/workspaces/topo-imagery'
To add an exception for this directory, call:

        git config --global --add safe.directory /workspaces/topo-imagery

@github-actions github-actions bot locked and limited conversation to collaborators Mar 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Issue identified by VS Code Team member as probable bug containers Issue in vscode-remote containers verified Verification succeeded
Projects
None yet
Development

No branches or pull requests

6 participants