This Git security error occurs when the repository owner differs from the user running Git commands. Added in Git 2.35.2 to address CVE-2022-24765, it prevents arbitrary code execution via malicious Git hooks.
Starting with Git version 2.35.2, Git performs an ownership check before executing commands in a repository. If the user running a Git command is different from the user who owns the `.git` directory, Git refuses to operate and displays this "dubious ownership" error. This security measure was introduced to address CVE-2022-24765, a vulnerability that could allow arbitrary code execution on multi-user systems. The attack vector works as follows: an attacker could create a malicious `.git` directory in a shared location (like `C:\.git` on Windows or `/tmp` on Linux). When an unsuspecting user navigates to that directory and runs any Git commandโor even just has a Git-aware shell promptโGit hooks in the malicious repository could execute arbitrary code with that user's privileges. This check is especially important in CI/CD pipelines, Docker containers, and shared development environments where files may be owned by different users than the one executing commands. While the error may seem inconvenient, it protects against a serious class of privilege escalation attacks.
First, check who owns the repository and who is running the command:
# Check repository owner
ls -la /path/to/repo/.git
# Check current user
whoami
idThe owner shown by ls should match your current user. If they differ, you've confirmed the ownership mismatch.
The most common fix is to tell Git to trust this specific repository:
# Add specific repository to safe list
git config --global --add safe.directory /path/to/repoReplace /path/to/repo with the actual absolute path shown in the error message.
For Windows users, use forward slashes and the full path:
git config --global --add safe.directory C:/Users/username/projectImportant: Use the exact path from the error message. Git resolves paths canonically, so relative paths or paths with symlinks may not match.
If possible, change the repository ownership to match your user. This is the most secure solution:
On Linux/macOS:
# Change ownership of the entire repository
sudo chown -R $(id -u):$(id -g) /path/to/repoOn Windows (run as Administrator):
takeown /F C:\path\to\repo /R /D Y
icacls C:\path\to\repo /grant %USERNAME%:F /TThis is safer than marking the directory as safe because it eliminates the ownership discrepancy entirely.
If you're on a single-user machine and understand the security implications, you can disable this check entirely:
git config --global --add safe.directory '*'Warning: This trusts ALL repositories on your system, including potentially malicious ones. Only use this on:
- Personal development machines you fully control
- Dedicated CI runners with no shared access
- Containers with no access to untrusted repositories
For CI/CD environments, use the --system flag instead of --global:
git config --system --add safe.directory '*'GitHub Actions example:
- name: Trust repository
run: git config --global --add safe.directory ${{ github.workspace }}GitLab CI example:
before_script:
- git config --global --add safe.directory "$CI_PROJECT_DIR"For container-based runners, you may need to add this to the container's global Git config.
When running Git in Docker with mounted volumes, ownership often differs between host and container:
Option 1: Match the container user to the host user:
docker run --user $(id -u):$(id -g) -v /path/to/repo:/repo myimageOption 2: Add safe.directory in your Dockerfile or entrypoint:
RUN git config --system --add safe.directory '*'Option 3: Set GIT_DISCOVERY_ACROSS_FILESYSTEM (for specific cases):
docker run -e GIT_CEILING_DIRECTORIES=/repo -v /path/to/repo:/repo myimageAfter applying your chosen fix, verify that Git commands work:
# Should no longer show the error
cd /path/to/repo
git status
# View your safe.directory settings
git config --show-origin --get-all safe.directoryIf you need to remove a safe.directory entry later:
# Remove specific entry
git config --global --unset safe.directory /path/to/repo
# Remove all entries
git config --global --unset-all safe.directory### Understanding CVE-2022-24765
This vulnerability (CVSS score 9.8 - Critical) exploits how Git searches for a .git directory. Before the fix, Git would traverse up the directory tree looking for a repository, which could lead it to find an attacker-placed .git directory in a parent path like C:\.git on Windows or in shared directories like /tmp on Linux.
Malicious Git hooks (like pre-auto-gc or post-checkout) in such directories could execute arbitrary code when a victim:
- Runs any Git command
- Opens the directory in a Git-aware IDE (VS Code, IntelliJ)
- Uses a shell prompt that calls git status (Oh My Zsh, posh-git, starship)
### WSL (Windows Subsystem for Linux) Considerations
WSL accessing Windows filesystem paths often triggers this error because files appear owned by root or a different user. Common fixes:
# Add Windows paths to safe.directory
git config --global --add safe.directory /mnt/c/Users/YourName/project
# Or trust all Windows paths (use carefully)
git config --global --add safe.directory '/mnt/c/*'For better performance and ownership consistency, consider cloning repositories into the Linux filesystem (/home/user/) instead of the Windows filesystem (/mnt/c/).
### Related Vulnerability: CVE-2022-29187
Git 2.37.1 addressed a follow-up vulnerability where the ownership check could be bypassed when running as root. If you're running Git as root on shared systems, ensure you're on Git 2.37.1 or later.
### When NOT to Use safe.directory
Avoid using safe.directory '*' on:
- Multi-user systems where you don't trust all users
- Production servers with shared access
- Any system where untrusted users can create directories
In these environments, either fix ownership or add only specific trusted paths.
fatal: bad object in rev-list input
Git rev-list encounters bad or invalid object
fatal: Out of memory, malloc failed during pack operation
Out of memory during Git pack operation
kex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git