How to globally disable git hooks

Question

For security reasons I would like git hooks to be disabled by default.

More specifically, when I run a git command in any git repository on my (Kubuntu) OS account, no git hooks should be executed, unless somehow specified.

In run all my code in Vagrant or Docker and the attack I want to avoid is the one where malicious code in the VM writes to the git hooks directory and thus gets itself onto the host machine. Disabling git hooks by default is a line of defense against this.

I'm looking for a solution that does not require per repository work and state. In my search I ran into this script which breaks both those requirements.

Ideally there is a simple solution such as putting this in .bash_aliases:

alias git='/usr/bin/git --no-hooks'

Answer 1

Setting core.hooksPath in $HOME/.gitconfig seems to work for me

[core]
    hooksPath = $SOME_DIR_WITHOUT_HOOKS

To enable hooks for a specific repo, you can probably reset it in $REPO/.git/config

[core]
    hooksPath = $GIT_DIR/hooks

Answer 2

The hooks are not the only way an attacker with write access to the .git directory can attack the user of the .git directory, the option diff.external can for example be set to execute anything, and who keeps track of all new Git features?

Even letting the attacker have write access to repository may be bad, if your development environment looks for configuration files within, or if it has some script that is executed locally.

Protecting .git is still a good idea, I propose these solutions:

• Make .git read-only in the virtual machine.
• Place the .git directory outside the working directory shared with the virtual machines. The --git-dir flag or the GIT_DIR environment variable controls where Git looks for the .git directory. Has the drawback that the .git directory is not shared with the virtual machine if it needs it, and that the command line flag or the environment variable will need to be set before working with each different repository.