Page MenuHomePhabricator
Create Task
Maniphest T259977

Document the security reasons for mounting .git as read-only
Open, LowPublic
Actions

Description

Imported from GitHub issue wikimedia/fresh#6.

Original task written on 16 Sep 2019 by @Krinkle:

Escalation of rights by having an npm script add a shell script to .git/hooks which survives the container and would not should up in "git status" and would execute on the host machine (outside the container) on future git commands like git commit or git pull.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Fresh: document security reason for read-only .git mountfreshmaster+4 -0
Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Aug 8 2020, 3:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 8 2020, 3:03 PM
Krinkle triaged this task as Medium priority.Aug 8 2020, 3:03 PM
Legoktm subscribed.Dec 29 2020, 4:58 AM

In addition to writing to .git/hooks, you could also add malicious commits to a git repository that doesn't go through code review.

Krinkle added a comment.Sep 3 2021, 8:24 PM

Ref T290074: Users should run explicit commands to materialize schema versions, rather than using magic git hooks

Restricted Application added a project: Performance-Team. · View Herald TranscriptSep 3 2021, 8:24 PM
Krinkle moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.Sep 3 2021, 8:24 PM
Krinkle claimed this task.Sep 11 2021, 10:44 PM
Krinkle lowered the priority of this task from Medium to Low.Sep 19 2022, 5:55 PM
Krinkle removed Krinkle as the assignee of this task.Jan 22 2023, 10:25 PM
Krinkle added a project: good first task.
Krinkle mentioned this in T319532: fresnel "before" and "after" recordings unexpectedly share state.Jan 22 2023, 10:28 PM
larissagaulia moved this task from Backlog: Maintenance, non-prioritized to To-do: Goals, prioritized next 4 Quarters on the Performance-Team board.Jan 23 2023, 9:11 AM
Krinkle moved this task from To-do: Goals, prioritized next 4 Quarters to Backlog: Future Goals, non-prioritized on the Performance-Team board.Jun 15 2023, 5:30 PM
Krinkle removed a project: Performance-Team.Aug 17 2023, 1:36 PM
Krinkle added a subscriber: hashar.
Codeurluce claimed this task.Jan 16 2026, 3:26 PM
gerritbot added a comment.Jan 16 2026, 3:29 PM

Change #1227822 had a related patch set uploaded (by Codeurluce; author: Codeurluce):

[fresh@master] Fresh: document security reason for read-only .git mount

https://gerrit.wikimedia.org/r/1227822

gerritbot added a project: Patch-For-Review.Jan 16 2026, 3:29 PM
Codeurluce added a comment.EditedJan 16 2026, 3:31 PM

Hello,

Patch submitted: https://gerrit.wikimedia.org/r/c/fresh/+/1227822

This adds a "Security" section to the README explaining why .git is mounted as read-only.

Aklapper added a comment.Jan 16 2026, 9:40 PM

@Codeurluce: Hi, no need to duplicate notifications; see the notifications 2 minutes earlier here. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits