I can cheerfully confirm that I've absolutely never:
- received a git repo as an archive from someone, and then
- changed to root with "su" before unpacking it somewhere, such that
- the chosen location was above the home directory layer of a multi-user system.
- in such a way that one of the directories of the /path/to/home path has a .git/ subdirectory as a direct child, and not as an unpacked-tarball/.git grandchild which would not be accidentally found by git. I.e. that one of these directories exists, which might be found by someone running "git" in their home:
which will not be found by someone running "git" in their home directory.
If I did such a thing, I'd care more about what happens when I happen to step on one of the malicious hooks in that repo as root, and less about what happens if users step on it.
I can cheerfully confirm that I've absolutely never:
- received a git repo as an archive from someone, and then
- changed to root with "su" before unpacking it somewhere, such that
- the chosen location was above the home directory layer of a multi-user system.
- in such a way that one of the directories of the /path/to/home path has a .git/ subdirectory as a direct child, and not as an unpacked-tarball/.git grandchild which would not be accidentally found by git. I.e. that one of these directories exists, which might be found by someone running "git" in their home:
rather than the more likely: which will not be found by someone running "git" in their home directory.If I did such a thing, I'd care more about what happens when I happen to step on one of the malicious hooks in that repo as root, and less about what happens if users step on it.