From: Jonathan Nieder <jrnieder@gmail.com>
To: Taylor Blau <me@ttaylorr.com>
Cc: git@vger.kernel.org,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Junio C Hamano <gitster@pobox.com>
Subject: Re: Too-loose checks for applying safe.directory rules?
Date: Tue, 12 Apr 2022 22:26:07 -0700 [thread overview]
Message-ID: <YlZe766xu9mHWNdy@google.com> (raw)
In-Reply-To: <YlZJGbcNzSp5yNN1@nand.local>
(+cc: git@vger, git-security -> bcc)
Hi,
Taylor Blau wrote:
> Hi all,
>
> I was skimming the Hacker News comments on my blog post covering the
> latest pair of CVEs, and this[1] comment stuck out to me.
>
> Looking at 8959555cee (setup_git_directory(): add an owner check for the
> top-level directory, 2022-03-02), I wonder why the `safe_directory_cb()`
> callback doesn't bother to check that `key` is `safe.directory`.
>
> Indeed, our checks seem too loose here. Initializing a repository as
> root:
>
> $ su
> # git init repo
>
> Then trying to run "git status" inside of that repo as my normal user
> gives the expected error:
>
> $ git status
> fatal: unsafe repository ('/home/repo' is owned by someone else)
> To add an exception for this directory, call:
>
> git config --global --add safe.directory /home/repo
>
> But doing the following:
>
> $ git config --global --add foo.bar /home/repo
>
> tricks Git into thinking that _any_ value which looks like a path in the
> "early config" scope can be interpreted as if the key were
> safe.directory, even when it is not:
>
> $ git status
> On branch master
>
> No commits yet
>
> nothing to commit (create/copy files and use "git add" to track)
>
> The author of [1] sent a PR to the git/git repo on GitHub [2], so I
> don't think there's any value in doing another coordinated release here.
Thanks, Taylor. I'm taking the liberty of moving to the main Git list.
> We should certainly fix this before 2.36 is released, but should
> probably apply those patches down to the suite of minor versions
> released today, too.
>
> It's entirely possible I'm holding it wrong and/or missing something
> here, and I'd be happy to be wrong here.
>
> Thanks,
> Taylor
>
> [1]: https://news.ycombinator.com/item?id=31010604
> [2]: https://github.com/git/git/pull/1235
Thanks,
Jonathan
next parent reply other threads:[~2022-04-13 5:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <YlZJGbcNzSp5yNN1@nand.local>
2022-04-13 5:26 ` Jonathan Nieder [this message]
2022-04-26 11:08 ` Too-loose checks for applying safe.directory rules? CB Bailey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YlZe766xu9mHWNdy@google.com \
--to=jrnieder@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=me@ttaylorr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.