* [PULL][PATCH 0/1] Do setuid before git operations @ 2022-05-13 10:03 Jack (Szu-Chieh) Wang 2022-05-13 10:04 ` [PATCH 1/1] " Jack (Szu-Chieh) Wang 2022-05-13 10:14 ` [poky] [PULL][PATCH 0/1] " Richard Purdie 0 siblings, 2 replies; 6+ messages in thread From: Jack (Szu-Chieh) Wang @ 2022-05-13 10:03 UTC (permalink / raw) To: poky; +Cc: Jack Wang, ryanoleary From: "Jack (Szu-Chieh) Wang" <jackwa@google.com> /etc/build information missing is because the new git thinks it's unsafe to do git operations if the directory has a different uid from the executing process'. However, there are still cases that we are building the image with a different uid, making git reporting false alarms. This patch identifies the cases by attempting to setuid to the owner of the git directory and if this works, it should be the expected git repo thus safe to do git operations. The following changes since commit 7b48f329aedc7fcb277302ba6ff167f22e5b1f22: scripts/autobuilder-worker-prereq-tests: add additional limit testing (2022-05-11 19:59:44 +0100) are available in the Git repository at: git://git.yoctoproject.org/poky-contrib jackwang/setuid-before-git-op http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jackwang/setuid-before-git-op Jack Wang (1): Do setuid before git operations meta/classes/metadata_scm.bbclass | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) -- 2.36.0.550.gb090851708-goog ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] Do setuid before git operations 2022-05-13 10:03 [PULL][PATCH 0/1] Do setuid before git operations Jack (Szu-Chieh) Wang @ 2022-05-13 10:04 ` Jack (Szu-Chieh) Wang 2022-05-13 10:14 ` [poky] [PULL][PATCH 0/1] " Richard Purdie 1 sibling, 0 replies; 6+ messages in thread From: Jack (Szu-Chieh) Wang @ 2022-05-13 10:04 UTC (permalink / raw) To: poky; +Cc: ryanoleary, Jack Wang After 2.35.2, git operations aren't considered safe when running in directories owned by other users. This patch attempts to setuid to the uid of the directory owner before doing the git operations. Signed-off-by: Jack (Szu-Chieh) Wang <jackwa@google.com> --- meta/classes/metadata_scm.bbclass | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/meta/classes/metadata_scm.bbclass b/meta/classes/metadata_scm.bbclass index 47cb969b8d..bb2f494533 100644 --- a/meta/classes/metadata_scm.bbclass +++ b/meta/classes/metadata_scm.bbclass @@ -22,18 +22,22 @@ def base_get_metadata_svn_revision(path, d): def base_get_metadata_git_branch(path, d): import bb.process + import os + stat_info = os.stat(path) try: - rev, _ = bb.process.run('git rev-parse --abbrev-ref HEAD', cwd=path) + rev, _ = bb.process.run('git rev-parse --abbrev-ref HEAD', cwd=path, preexec_fn=lambda : os.setuid(stat_info.st_uid)) except bb.process.ExecutionError: rev = '<unknown>' return rev.strip() def base_get_metadata_git_revision(path, d): import bb.process + import os + stat_info = os.stat(path) try: - rev, _ = bb.process.run('git rev-parse HEAD', cwd=path) + rev, _ = bb.process.run('git rev-parse HEAD', cwd=path, preexec_fn=lambda : os.setuid(stat_info.st_uid)) except bb.process.ExecutionError: rev = '<unknown>' return rev.strip() -- 2.36.0.550.gb090851708-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [poky] [PULL][PATCH 0/1] Do setuid before git operations 2022-05-13 10:03 [PULL][PATCH 0/1] Do setuid before git operations Jack (Szu-Chieh) Wang 2022-05-13 10:04 ` [PATCH 1/1] " Jack (Szu-Chieh) Wang @ 2022-05-13 10:14 ` Richard Purdie 2022-05-13 10:19 ` Jack (Szu-Chieh) Wang 1 sibling, 1 reply; 6+ messages in thread From: Richard Purdie @ 2022-05-13 10:14 UTC (permalink / raw) To: jackwa, poky; +Cc: ryanoleary On Fri, 2022-05-13 at 10:03 +0000, Jack (Szu-Chieh) Wang via lists.yoctoproject.org wrote: > From: "Jack (Szu-Chieh) Wang" <jackwa@google.com> > > /etc/build information missing is because the new git thinks it's > unsafe to do git operations if the directory has a different uid from > the executing process'. However, there are still cases that we are > building the image with a different uid, making git reporting false > alarms. This patch identifies the cases by attempting to setuid to the > owner of the git directory and if this works, it should be the > expected git repo thus safe to do git operations. This should have been fixed in master or in the process of being fixed on the stable branches by the git wrapper we've recently merged? https://git.yoctoproject.org/poky/commit/?id=4d7383aefb391a5a998454c70feb96127951ca0a and several other related commits. Which release are you seeing that with? Cheers, Richard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [poky] [PULL][PATCH 0/1] Do setuid before git operations 2022-05-13 10:14 ` [poky] [PULL][PATCH 0/1] " Richard Purdie @ 2022-05-13 10:19 ` Jack (Szu-Chieh) Wang 2022-05-13 10:22 ` Richard Purdie 0 siblings, 1 reply; 6+ messages in thread From: Jack (Szu-Chieh) Wang @ 2022-05-13 10:19 UTC (permalink / raw) To: richard.purdie; +Cc: poky, Ryan O'Leary [-- Attachment #1: Type: text/plain, Size: 1281 bytes --] Hi Richard, Thanks for your prompt reply. We're using the dunfell branch and the git issues remain. I see the patch is only on master not on dunfell, is this correct? Sincerely, Jack On Fri, May 13, 2022 at 6:14 PM <richard.purdie@linuxfoundation.org> wrote: > On Fri, 2022-05-13 at 10:03 +0000, Jack (Szu-Chieh) Wang via > lists.yoctoproject.org wrote: > > From: "Jack (Szu-Chieh) Wang" <jackwa@google.com> > > > > /etc/build information missing is because the new git thinks it's > > unsafe to do git operations if the directory has a different uid from > > the executing process'. However, there are still cases that we are > > building the image with a different uid, making git reporting false > > alarms. This patch identifies the cases by attempting to setuid to the > > owner of the git directory and if this works, it should be the > > expected git repo thus safe to do git operations. > > This should have been fixed in master or in the process of being fixed > on the stable branches by the git wrapper we've recently merged? > > > https://git.yoctoproject.org/poky/commit/?id=4d7383aefb391a5a998454c70feb96127951ca0a > > and several other related commits. > > Which release are you seeing that with? > > Cheers, > > Richard > [-- Attachment #2: Type: text/html, Size: 2132 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [poky] [PULL][PATCH 0/1] Do setuid before git operations 2022-05-13 10:19 ` Jack (Szu-Chieh) Wang @ 2022-05-13 10:22 ` Richard Purdie 2022-05-13 10:48 ` Jack (Szu-Chieh) Wang 0 siblings, 1 reply; 6+ messages in thread From: Richard Purdie @ 2022-05-13 10:22 UTC (permalink / raw) To: Jack (Szu-Chieh) Wang, Steve Sakoman; +Cc: poky, Ryan O'Leary On Fri, 2022-05-13 at 18:19 +0800, Jack (Szu-Chieh) Wang wrote: > Hi Richard, > > Thanks for your prompt reply. > We're using the dunfell branch and the git issues remain. > I see the patch is only on master not on dunfell, is this correct? We have a backport policy which means we fix on master, then fixes cascade to the stable maintained releases. There is a review request out here: http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-next which includes the patches and should hopefully merge in the next few days. Cheers, Richard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [poky] [PULL][PATCH 0/1] Do setuid before git operations 2022-05-13 10:22 ` Richard Purdie @ 2022-05-13 10:48 ` Jack (Szu-Chieh) Wang 0 siblings, 0 replies; 6+ messages in thread From: Jack (Szu-Chieh) Wang @ 2022-05-13 10:48 UTC (permalink / raw) To: richard.purdie; +Cc: Steve Sakoman, poky, Ryan O'Leary [-- Attachment #1: Type: text/plain, Size: 780 bytes --] I see, thanks a lot for your help and your efforts. Sincerely, Jack On Fri, May 13, 2022 at 6:22 PM <richard.purdie@linuxfoundation.org> wrote: > On Fri, 2022-05-13 at 18:19 +0800, Jack (Szu-Chieh) Wang wrote: > > Hi Richard, > > > > Thanks for your prompt reply. > > We're using the dunfell branch and the git issues remain. > > I see the patch is only on master not on dunfell, is this correct? > > We have a backport policy which means we fix on master, then fixes > cascade to the stable maintained releases. There is a review request > out here: > > > http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-next > > which includes the patches and should hopefully merge in the next few > days. > > Cheers, > > Richard > [-- Attachment #2: Type: text/html, Size: 1400 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-13 10:49 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-05-13 10:03 [PULL][PATCH 0/1] Do setuid before git operations Jack (Szu-Chieh) Wang 2022-05-13 10:04 ` [PATCH 1/1] " Jack (Szu-Chieh) Wang 2022-05-13 10:14 ` [poky] [PULL][PATCH 0/1] " Richard Purdie 2022-05-13 10:19 ` Jack (Szu-Chieh) Wang 2022-05-13 10:22 ` Richard Purdie 2022-05-13 10:48 ` Jack (Szu-Chieh) Wang
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.