Is it possible to push as someone else?

Question

I am pretty new to git & github. Also my english is bad, so I need to explain it in a weird way.

1. We can see anyone's user name and email (if itsn't private) in github
2. We can use these at "git config user.name" etc.
3. After that, clone a repo which belongs to them
4. Do whatever you want and push

Is this possible? My git didn't ask for a password, or github didn't ask for a merge request?

If it's possible, How can we be protected?

Answer 1

I think you are confusing two questions.

1. Is it possible to push as someone else?

   No, it is not - you would need their GitHub credentials to do that (their PAT or their ssh key).

2. Is it possible to create a commit with someone else's name as author?

   Yes*, you can set any author e-mail and name in your commits, but that's all that the git config lets you set - what goes into the commit, not credentials.

   (*) that's only a partial yes: you can't sign a commit as someone else, so if you create a commit showing someone else as author, you would not be able to prove they had created that commit (unless you actually had access to their GPG key, but just like passwords, that's a secret that should never be shared).

So to your last question, you can protect yourself from forgery:

• By making sure you only grant push access to your repos to people you trust, and by making sure you only accept PRs you've reviewed. If you own the repo, you have all those controls.
• As others have said, by signing your commits. Some organisations require that all commits be signed, for example, as a way to be able to verifiably know who actually made each commit.