fatal: unsafe repository ('/home/repon' is owned by someone else)

I found error log from apache2 that is fatal: unsafe repository ('/home/repon' is owned by someone else) It because I have 'git rev-parse --symbolic-full-name --abbrev-ref HEAD' in PHP code and looks like new git safety change(https://github.blog/2022-04-12-git-security-vulnerability-announced/) no longer allows www-data run this git command, git config --global --add safe.directory /homerepon does not work, anyone have workaround here to solve this issue? git version: 2.35.3 php version: 7.4 apache2 version: 2.4.41

This started appearing with the release of the git 2.35.2 security update which fixes vulnerabilities described here. credits @Juan-Kabbali

Here are 4 possible solutions:

• trust git directory (do it if you know the directory contents are safe)

git config --global --add safe.directory /home/repon

This adds to ~/.gitconfig the safe group as shown in this example

[safe]
	directory = /home/repon

• run the command as the correct user, for example:

sudo -u ubuntu -- git status

Note: This requires user www-data to have permission to execute the git command as user ubuntu (assuming ubuntu is the repository owner). For this to work, you will need to add a new file inside /etc/sudoers.d/ with the following contents:

www-data ALL=(ubuntu) NOPASSWD: /usr/bin/git

This may have security implications so refer to your security guy first.

• change git repository owner to www-data

sudo chown -R www-data:www-data /home/repon

• downgrade git as a temporary solution. For example in Ubuntu:

apt install git-man=1:2.17.0-1ubuntu1 git=1:2.17.0-1ubuntu1

Note: At least on Windows, it appears that all git repositories on ejectable drives are considered unsafe and changing ownership does not seem to work.

For Windows I had to do the following:

1. Right click on the git repository folder on which the error occurs
2. Select the security tab, then choose extended (left picture: press "Erweitert")
3. Check the owner properties (right picture: "Besitzer") in the top area of the new opened window and adapt it (right picture: press "Ändern"), this must be your working Windows account
4. Press OK and wait until rights have been set, then the Git error message should be history

This solution works also if you move or rename the directory afterwards. In my opinion you should prefer this solution over

git config --global --add safe.directory <repo-path>

which you have to do each time where you perform changes on the directory name. You can also adapt manually the .gitconfig file in

C:\Users\<username>\.gitconfig

once you added to the safe list.

This is because of the git safe update.

To make Git trust any directory you can run this in powershell:

git config --global --add safe.directory *

In bash you should escape the * to avoid expansion:

git config --global --add safe.directory '*'

Support for * was only added in Git 2.36 as mentioned at: https://github.blog/2022-04-18-highlights-from-git-2-36/ and by genonymous in the comments.

If you just trust one directory, you can run this command

git config --global --add safe.directory your-directory

I had a similar issue - a web application that uses git could not access the repository.
Running the suggested command (git config --global --add safe.directory /repo/path) didn't work as well, because I ran it as 'me', not as 'www-data' user.
The solution was in fact really simple - I created .gitconfig file in /var/www directory (which is home for www-data user in my case) and put

[safe]
        directory = /repo/path

there.

None of the above solutions worked for me but changing the ownership of the repository did. I'm running Ubuntu 20.04.4 LTS and I ran the following command:

sudo chown -R username:group directory

As a part of automation, Our scenario involved invoking one script multiple times and we don't know the workspace upfront.

So, in our case, git config --global --add safe.directory * created multiple entries in ~/.gitconfig.

git config --global --replace-all safe.directory '*' helped us ensuring no duplicate entries.

I may be stating the obvious, but I think it's worth mentioning that running git config --global --add safe.directory /home/repon needs to done for the www-data user.

Problem 1: www-data's HOME directory is /var/www, so having a .gitconfig file there may be a security risk (divulging server paths / config).

Problem 2: with Apache/Ubuntu 20.04, the HOME environment variable is not defined by default (/etc/apache2/envvars unsets it) so the config is not getting picked-up (git config --global fails with fatal: $HOME not set).

I managed to fix the problem by adding the repository to git's system config, i.e. git config --system --add safe.directory /home/repon.

I had a similar problem, with Phabricator not being able to display the content of my repositories (git log failed because of the same reason as yours). I could not figure out which user was running the git command, so I could not come up with a proper solution, until I realized I could edit/create a global git config file for all users.

I created the file with: sudo vi /etc/gitconfig.

and put this inside:

[safe]
        directory = /home/opt/phabricator_repo/1
        directory = /home/opt/phabricator_repo/4
        directory = /home/opt/phabricator_repo/5

OS: Ubuntu 20.04

This happens if you have a different user who owned the directory. For example, your git repo is located in /var/www which is owned by www-data. Now, when you are signed-in/using a non-sudo user account and you go to /var/www to perform git actions such as > $ git branch

you will get this error so make sure you have appropriate directory permission. You can change the directory ownership by running CHOWN or add your current user to the group to which the directory owner belongs to

If you are on linux and prefer explicit allow-listing, you may achieve it manually by editing the Git config, (e.g. using nano or vim). Just put the folders allow-list into the [safe] section of the config file:

$ nano ~/.gitconfig

And here is a python script to prepare the allow-list:

from glob import glob

def println(my_list):
    print("\n".join(map(str, my_list)))

git_folders_list = sorted(glob("~/git/*", recursive=True))

println(["directory = " + d for d in git_folders_list])

I had this problem on windows with Sublime Merge, I was trying to apply some solutions mentioned here, they didn't work so I said: if the problem is with the folder I must create a new one, so copy and paste the project folder, delete the old one, rename the copy by the old name and that was it!. I guess this should work on linux too and when making the copy of the project folder it is created with the correct owner.

Changing the owner of the top level directory fixed it.

Running Laravel on a local Ubuntu LAMP stack, my setup includes the command

sudo chown -R www-data /var/www/dirname

But with www-data owning the dirname, git gave the above error. To fix it, I only had to change the owner of the top level dirname, and the .git directory:

sudo chown myUserName /var/www/dirname

sudo chown -R myUserName /var/www/dirname/.git