github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-13 02:57:44 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

gitea and read-only filsystems #5534

New Issue
Closed
opened 2025-11-02 06:28:05 -06:00 by GiteaMirror · 19 comments
GiteaMirror commented 2025-11-02 06:28:05 -06:00
Owner
Copy Link

Originally created by @micheelengronne on GitHub (Jun 11, 2020).

Gitea wants to modify files even if they are present and with the content gitea wants to put in.

Therefore, Gitea breaks on read-only filesystems (like an hardened docker container.)

My problem is simple.

This method wants to modify a .gitconfig file:

9a2e47b23a/modules/git/git.go (L109)

It runs even if the .gitconfig file exists with the correct content.

Is it possible to stop that behaviour ?

Thanks.

Originally created by @micheelengronne on GitHub (Jun 11, 2020). Gitea wants to modify files even if they are present and with the content gitea wants to put in. Therefore, Gitea breaks on read-only filesystems (like an hardened docker container.) My problem is simple. This method wants to modify a `.gitconfig` file: https://github.com/go-gitea/gitea/blob/9a2e47b23a6d460acfce9b1b77e6f9fb06ca1b75/modules/git/git.go#L109 It runs even if the `.gitconfig` file exists with the correct content. Is it possible to stop that behaviour ? Thanks.
GiteaMirror added the type/enhancement label 2025-11-02 06:28:05 -06:00
GiteaMirror commented 2025-11-02 06:28:06 -06:00
Author
Owner
Copy Link

@CirnoT commented on GitHub (Jun 11, 2020):

We rely on git config --global to make changes to Git config file

@CirnoT commented on GitHub (Jun 11, 2020): We rely on `git config --global` to make changes to Git config file
GiteaMirror commented 2025-11-02 06:28:06 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 11, 2020):

Yes, but can we disable this method when the file already exists ?

@micheelengronne commented on GitHub (Jun 11, 2020): Yes, but can we disable this method when the file already exists ?
GiteaMirror commented 2025-11-02 06:28:06 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jun 11, 2020):

Just set the HOME environment variable as appropriate to somewhere that can be changed.

@zeripath commented on GitHub (Jun 11, 2020): Just set the HOME environment variable as appropriate to somewhere that can be changed.
GiteaMirror commented 2025-11-02 06:28:06 -06:00
Author
Owner
Copy Link

@CirnoT commented on GitHub (Jun 11, 2020):

Yes, but can we disable this method when the file already exists ?

No, because we don't know whether correct values are set or not. The fact that file exists tells us nothing. The .gitconfig is supposed to be writable should new version introduce some new config to be set there.

@CirnoT commented on GitHub (Jun 11, 2020): >Yes, but can we disable this method when the file already exists ? No, because we don't know whether correct values are set or not. The fact that file exists tells us nothing. The `.gitconfig` is supposed to be writable should new version introduce some new config to be set there.
GiteaMirror commented 2025-11-02 06:28:06 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 11, 2020):

My usecase happens in a container environment. A new version is introduced by creating a new container image, not updating the existing one.

@micheelengronne commented on GitHub (Jun 11, 2020): My usecase happens in a container environment. A new version is introduced by creating a new container image, not updating the existing one.
GiteaMirror commented 2025-11-02 06:28:06 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

I tried to do an init container that sets everything and a container with gitea web but still the gitea web cli wants to use this method.

It is a security issue as it forces to use a read-write filesystem for just a file that can easily be commmited in a git.

Can we, at least, have an option to use gitea web and other production-running state commands in a read-only filesystem ?

@micheelengronne commented on GitHub (Jun 12, 2020): I tried to do an init container that sets everything and a container with `gitea web` but still the `gitea web` cli wants to use this method. It is a security issue as it forces to use a read-write filesystem for just a file that can easily be commmited in a git. Can we, at least, have an option to use `gitea web` and other production-running state commands in a read-only filesystem ?
GiteaMirror commented 2025-11-02 06:28:07 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jun 12, 2020):

@micheelengronne have you set the HOME environment variable appropriately?

@zeripath commented on GitHub (Jun 12, 2020): @micheelengronne have you set the HOME environment variable appropriately?
GiteaMirror commented 2025-11-02 06:28:07 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

Changing the HOME variable is not a solution either. In an immutable hardened container, only data should change, nothing else.

@micheelengronne commented on GitHub (Jun 12, 2020): Changing the `HOME` variable is not a solution either. In an immutable hardened container, only data should change, nothing else.
GiteaMirror commented 2025-11-02 06:28:08 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

So, what can change is the content of ROOT according to the config cheat sheet.

@micheelengronne commented on GitHub (Jun 12, 2020): So, what can change is the content of `ROOT` according to the [config cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/).
GiteaMirror commented 2025-11-02 06:28:08 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

I am sorry to be strict on that. But this is an absolute condition to make gitea run in security hardened infrastructures. Containers must work with read-only FS and read-only configurations and secrets.

@micheelengronne commented on GitHub (Jun 12, 2020): I am sorry to be strict on that. But this is an absolute condition to make gitea run in security hardened infrastructures. Containers must work with read-only FS and read-only configurations and secrets.
GiteaMirror commented 2025-11-02 06:28:09 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jun 12, 2020):

Right the issue is that Git is making the change to the file.

We are limited in how we can tell Git to look for its .gitconfig.

Git uses HOME to determine the global gitconfig which we use to set various global settings and to look up various things.

So I ask again, have you tried setting the HOME variable to a mutable place?

@zeripath commented on GitHub (Jun 12, 2020): Right the issue is that Git is making the change to the file. We are limited in how we can tell Git to look for its .gitconfig. Git uses HOME to determine the global gitconfig which we use to set various global settings and to look up various things. So I ask again, have you tried setting the HOME variable to a mutable place?
GiteaMirror commented 2025-11-02 06:28:09 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jun 12, 2020):

If that works then can consider if there is a place for using ROOT to artificially change the HOME for git etc. but without knowing that then we're likely leading down a blind alley and we might have to think about if we need to set things a different way eg. through the default args system

@zeripath commented on GitHub (Jun 12, 2020): If that works then can consider if there is a place for using ROOT to artificially change the HOME for git etc. but without knowing that then we're likely leading down a blind alley and we might have to think about if we need to set things a different way eg. through the default args system
GiteaMirror commented 2025-11-02 06:28:09 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

To be sure we talk about the same thing. If I move HOME, I move my user directory, right ? So, I move all configurations in it ?

Did I understand correctly ?

In that way, configurations are not immutables and that will not pass hardened security tests.

Why can't we have a way to include a .gitconfig file containing the same content and for the method to check if the file exists with the correct content prior to create it ?

@micheelengronne commented on GitHub (Jun 12, 2020): To be sure we talk about the same thing. If I move `HOME`, I move my user directory, right ? So, I move all configurations in it ? Did I understand correctly ? In that way, configurations are not immutables and that will not pass hardened security tests. Why can't we have a way to include a `.gitconfig` file containing the same content and for the method to check if the file exists with the correct content prior to create it ?
GiteaMirror commented 2025-11-02 06:28:09 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jun 12, 2020):

No I mean just set the HOME environment variable when you run gitea

@zeripath commented on GitHub (Jun 12, 2020): No I mean just set the HOME environment variable when you run gitea
GiteaMirror commented 2025-11-02 06:28:10 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

But that will screw up my user directory.

For instance, my user is git. I put this file content in /home/git/.gitconfig.

[user]
	name = Gitea
	email = gitea@fake.local
[core]
	quotepath = false
	commitGraph = true
[gc]
	writeCommitGraph = true

Then the init method should not try to write this file.

Do you suggest, I move HOME to /home/git/mutable and make this directory writable ?

If it works that's better than nothing but that will still break the security hardening check as .gitconfig is also a configuration file.

I try.

@micheelengronne commented on GitHub (Jun 12, 2020): But that will screw up my user directory. For instance, my user is `git`. I put this file content in `/home/git/.gitconfig`. ``` [user] name = Gitea email = gitea@fake.local [core] quotepath = false commitGraph = true [gc] writeCommitGraph = true ``` Then the init method should not try to write this file. Do you suggest, I move `HOME` to `/home/git/mutable` and make this directory writable ? If it works that's better than nothing but that will still break the security hardening check as `.gitconfig` is also a configuration file. I try.
GiteaMirror commented 2025-11-02 06:28:10 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

That works but that's not really the best solution. It would be far better to test if the file exists with the correct values before trying to create it.

If a gitea update occurs that change the file content, the CI job that creates the docker (podman) image would break so future compatibilities would be ensured by that way.

@micheelengronne commented on GitHub (Jun 12, 2020): That works but that's not really the best solution. It would be far better to test if the file exists with the correct values before trying to create it. If a gitea update occurs that change the file content, the CI job that creates the docker (podman) image would break so future compatibilities would be ensured by that way.
GiteaMirror commented 2025-11-02 06:28:10 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 12, 2020):

BTW, the 2 first git executions do what I think is the correct way to do. 83e9ac57a1/modules/git/git.go (L112)

They check if the values exist and they are the same than the ones provided and they execute the git command if one of these assertions is false.

The problem is for these lines:

83e9ac57a1/modules/git/git.go (L126)

83e9ac57a1/modules/git/git.go (L132)

83e9ac57a1/modules/git/git.go (L137)

They do not check so they always try to write.

I am not fluent enough in go to do it myself right now.

@micheelengronne commented on GitHub (Jun 12, 2020): BTW, the 2 first git executions do what I think is the correct way to do. https://github.com/go-gitea/gitea/blob/83e9ac57a116be910ca3fb0c2b33f64ffae0dc3e/modules/git/git.go#L112 They check if the values exist and they are the same than the ones provided and they execute the git command if one of these assertions is false. The problem is for these lines: https://github.com/go-gitea/gitea/blob/83e9ac57a116be910ca3fb0c2b33f64ffae0dc3e/modules/git/git.go#L126 https://github.com/go-gitea/gitea/blob/83e9ac57a116be910ca3fb0c2b33f64ffae0dc3e/modules/git/git.go#L132 https://github.com/go-gitea/gitea/blob/83e9ac57a116be910ca3fb0c2b33f64ffae0dc3e/modules/git/git.go#L137 They do not check so they always try to write. I am not fluent enough in go to do it myself right now.
GiteaMirror commented 2025-11-02 06:28:10 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jun 13, 2020):

So any configuration in $HOME/.gitconfig can be overridden by a repository's local "project" git config ($GITEA_REPOSITORIES/owner/name.git/config) including in particular diff.tool. Gitea needs to be able to change these config files in order to manage mirrors and remotes amongst other things - and we regularly create temporary repositories which git gives a local project config. I'm not saying that we shouldn't make changing $HOME/.gitconfig unnecessary - but unless you can get to the point that these local project config files are controllable or removable - which I haven't been able to find a way of doing - locking down the $HOME/.gitconfig is of very limited use. $HOME/.gitconfig is the GLOBAL config only in that it provides defaults to the local project git configs - it cannot and does not override local project git config.

@zeripath commented on GitHub (Jun 13, 2020): So any configuration in `$HOME/.gitconfig` can be overridden by a repository's local "project" git config (`$GITEA_REPOSITORIES/owner/name.git/config`) including in particular `diff.tool`. Gitea needs to be able to change these config files in order to manage mirrors and remotes amongst other things - and we regularly create temporary repositories which git gives a local project config. I'm not saying that we shouldn't make changing `$HOME/.gitconfig` unnecessary - but unless you can get to the point that these local project config files are controllable or removable - which I haven't been able to find a way of doing - locking down the `$HOME/.gitconfig` is of very limited use. `$HOME/.gitconfig` is the GLOBAL config only in that it provides defaults to the local project git configs - it cannot and does not override local project git config.
GiteaMirror commented 2025-11-02 06:28:11 -06:00
Author
Owner
Copy Link

@micheelengronne commented on GitHub (Jun 15, 2020):

I know that. But that was not the point. Anyway, thanks for the commit.

@micheelengronne commented on GitHub (Jun 15, 2020): I know that. But that was not the point. Anyway, thanks for the commit.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#5534
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?