From: Junio C Hamano <gitster@pobox.com>
To: Carlo Arenas <carenas@gmail.com>
Cc: git@vger.kernel.org, bagasdotme@gmail.com,
phillip.wood123@gmail.com, Johannes.Schindelin@gmx.de,
"Guy Maurel" <guy.j@maurel.de>,
"SZEDER Gábor" <szeder.dev@gmail.com>,
"Randall Becker" <rsbecker@nexbridge.com>
Subject: Re: [RFC PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged
Date: Mon, 09 May 2022 12:41:07 -0700 [thread overview]
Message-ID: <xmqq7d6ucx4c.fsf@gitster.g> (raw)
In-Reply-To: <CAPUEspidmqiUYd3xB4QaR72YU=H8pA-3yNXxOF_MWyA_0wrKcA@mail.gmail.com> (Carlo Arenas's message of "Mon, 9 May 2022 11:48:31 -0700")
Carlo Arenas <carenas@gmail.com> writes:
> not that there are 2 different scenarios which we might seem to be
> flip flopping about :
>
> 1) victim gets attacked by tricking them into using the wrong SUDO_UID
>
> unlikely to be useful as you pointed out, and totally useless if we
> still restrict this code to run only as root
I think we established that we are not interested in this long ago.
> 2) attacker using this code to elevate privileges themselves
>
> only useful if this code is not run as root.
An attacker who is not root would not make the "what does SUDO_UID
say about the user we came from?", and "git" will not be setuid
binary, so I agree the code is not useful for such an attack,
either.
> My concern again, is not with this code AS-IS but how it might be used
> in the future.
I'd rather not such a "concern" to block us for too long.
>> Of course you can tell any user who runs "sudo" to set SUDO_UID to
>> 1000 + 64k and cause wrap-around, but then you can tell them to set
>> SUDO_UID to 1000 without relying on wrap-around and have the same
>> effect. So, let's stop worrying about this bogus scenario.
>
> bogus only if we are still only running this code as root, of course.
And this code is only run to learn what SUDO_UID says, which is what
we check when we notice geteuid() says we are root.
>> As to the "we can break compilation with -Wsign-compare on a system
>> with signed uid_t", I agree that is true if we have
>
> Apologies for not documenting it until now, but I had
> -Wtautological-constant-out-of-range-compare in mind instead, but your
> are correct either one would work and the point was that (without
> having to add even an "static assert") we were able to find them and
> warn them that they need to patch.
>
>> env_id <= (uid_t) -1
>
> If that was not enough, that simple code ALSO disabled the code in
> that case to make sure they MUST patch locally if they need to make it
> work, or come back to us to figure out a portable way to accommodate
> them in the future, with all the information about their system we
> currently lack.
Without a comment to say that, nobody would be able to figure out
that we are waiting for them to speak up.
/* the code does not work on a system with signed uid */
intmax_t tmp = (uid_t) -1;
if (tmp < 0)
BUG("report to git@vger that you have a signed uid_t");
or better yet, a compile-time equivalent, perhaps.
>> there. But I am not sure if that is the most effective way to smoke
>> out platforms where this code has trouble working correctly. Also,
>> I would think that a system with signed uid_t is a possibility, but
>> a user with a negative UID?
>
> It doesn't need to be a real user (specially if someone independently
> decides to remove the restriction that keeps this code available only
> to root).
When they break, they can keep both halves. Is it our concern?
next prev parent reply other threads:[~2022-05-09 19:41 UTC|newest]
Thread overview: 170+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 18:31 [RFC PATCH] git-compat-util: avoid failing dir ownership checks if running priviledged Carlo Marcelo Arenas Belón
2022-04-26 19:48 ` Derrick Stolee
2022-04-26 19:56 ` Junio C Hamano
2022-04-26 20:10 ` rsbecker
2022-04-26 20:45 ` Carlo Arenas
2022-04-26 21:10 ` Junio C Hamano
2022-04-26 20:12 ` Carlo Arenas
2022-04-26 20:26 ` Carlo Arenas
2022-04-29 16:16 ` Derrick Stolee
2022-04-27 0:05 ` [PATCH] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-04-27 9:33 ` Phillip Wood
2022-04-27 12:30 ` Phillip Wood
2022-04-27 14:15 ` rsbecker
2022-04-27 15:58 ` Carlo Arenas
2022-04-27 16:14 ` Phillip Wood
2022-04-27 18:54 ` Junio C Hamano
2022-04-27 20:59 ` Carlo Arenas
2022-04-27 21:09 ` rsbecker
2022-04-27 21:25 ` Junio C Hamano
2022-04-28 17:56 ` Phillip Wood
2022-04-27 15:38 ` Carlo Arenas
2022-04-27 15:50 ` rsbecker
2022-04-27 16:19 ` Junio C Hamano
2022-04-27 16:45 ` Carlo Arenas
2022-04-27 17:22 ` Phillip Wood
2022-04-27 17:49 ` rsbecker
2022-04-27 17:54 ` Carlo Arenas
2022-04-27 18:05 ` rsbecker
2022-04-27 18:11 ` Carlo Arenas
2022-04-27 18:16 ` rsbecker
2022-04-27 16:31 ` Phillip Wood
2022-04-27 16:54 ` Carlo Arenas
2022-04-27 17:28 ` Phillip Wood
2022-04-27 17:49 ` Carlo Arenas
2022-04-27 22:26 ` [RFC PATCH v2] " Carlo Marcelo Arenas Belón
2022-04-27 22:33 ` Junio C Hamano
2022-04-28 3:35 ` [PATCH 0/2] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-04-28 3:35 ` [PATCH 1/2] Documentation: explain how safe.directory works when running under sudo Carlo Marcelo Arenas Belón
2022-04-28 5:17 ` Junio C Hamano
2022-04-28 5:58 ` Carlo Arenas
2022-04-28 6:41 ` Junio C Hamano
2022-04-28 3:35 ` [PATCH 2/2] t: add tests for safe.directory when running with sudo Carlo Marcelo Arenas Belón
2022-04-28 5:34 ` Junio C Hamano
2022-04-28 4:57 ` [PATCH 0/2] fix `sudo make install` regression in maint Junio C Hamano
2022-04-28 10:58 ` [PATCH v2 0/3] " Carlo Marcelo Arenas Belón
2022-04-28 10:58 ` [PATCH v2 1/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-04-28 18:02 ` Phillip Wood
2022-04-28 18:57 ` Carlo Arenas
2022-04-28 10:58 ` [PATCH v2 2/3] Documentation: explain how safe.directory works when running under sudo Carlo Marcelo Arenas Belón
2022-04-30 6:17 ` Bagas Sanjaya
2022-04-30 6:39 ` Junio C Hamano
2022-04-30 14:15 ` Carlo Marcelo Arenas Belón
2022-04-28 10:58 ` [PATCH v2 3/3] t: add tests for safe.directory when running with sudo Carlo Marcelo Arenas Belón
2022-04-28 16:55 ` Junio C Hamano
2022-04-28 18:08 ` Phillip Wood
2022-04-28 18:12 ` Junio C Hamano
2022-05-06 17:50 ` Carlo Arenas
2022-05-06 21:43 ` Junio C Hamano
2022-05-06 22:57 ` Carlo Arenas
2022-05-06 23:55 ` Junio C Hamano
2022-05-07 11:57 ` Carlo Marcelo Arenas Belón
2022-04-28 19:53 ` rsbecker
2022-04-28 20:22 ` Carlo Arenas
2022-04-28 20:43 ` rsbecker
2022-04-28 20:51 ` Junio C Hamano
2022-04-28 20:56 ` Carlo Arenas
2022-04-28 21:55 ` rsbecker
2022-04-28 22:21 ` Junio C Hamano
2022-04-28 22:45 ` rsbecker
2022-04-28 20:46 ` Junio C Hamano
2022-04-28 20:32 ` Junio C Hamano
2022-04-28 20:40 ` rsbecker
2022-04-28 20:48 ` Carlo Arenas
2022-04-28 21:02 ` Carlo Arenas
2022-04-28 21:07 ` Junio C Hamano
2022-04-29 1:24 ` Carlo Marcelo Arenas Belón
2022-04-29 18:50 ` Junio C Hamano
2022-04-29 20:05 ` Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 1/3] t: document regression git safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-02 21:35 ` Junio C Hamano
2022-05-02 23:07 ` Carlo Arenas
2022-05-02 18:39 ` [RFC PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Carlo Marcelo Arenas Belón
2022-05-02 22:10 ` Junio C Hamano
2022-05-03 0:00 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-03 6:54 ` [PATCH v3 1/3] t: document regression git safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-03 14:03 ` Phillip Wood
2022-05-03 15:56 ` Carlo Marcelo Arenas Belón
2022-05-04 11:15 ` Phillip Wood
2022-05-04 13:02 ` Carlo Arenas
2022-05-04 14:11 ` Phillip Wood
2022-05-05 13:44 ` Johannes Schindelin
2022-05-05 14:34 ` Phillip Wood
2022-05-05 15:50 ` Junio C Hamano
2022-05-05 18:33 ` Junio C Hamano
2022-05-05 19:39 ` Junio C Hamano
2022-05-06 21:03 ` Carlo Arenas
2022-05-09 8:21 ` Phillip Wood
2022-05-09 14:51 ` Carlo Arenas
2022-05-09 15:18 ` Phillip Wood
2022-05-09 16:01 ` Junio C Hamano
2022-05-09 16:21 ` Carlo Arenas
2022-05-06 17:39 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-05 14:01 ` Johannes Schindelin
2022-05-05 14:32 ` Phillip Wood
2022-05-06 19:15 ` Carlo Arenas
2022-05-06 20:00 ` Junio C Hamano
2022-05-06 20:22 ` Carlo Arenas
2022-05-06 20:59 ` Junio C Hamano
2022-05-06 21:40 ` Carlo Arenas
2022-05-06 21:07 ` rsbecker
2022-05-05 16:09 ` Junio C Hamano
2022-05-06 20:02 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Carlo Marcelo Arenas Belón
2022-05-03 14:12 ` Phillip Wood
2022-05-03 15:27 ` Junio C Hamano
2022-05-06 16:54 ` Carlo Arenas
2022-05-07 16:35 ` [RFC PATCH v4 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-07 16:35 ` [RFC PATCH v4 1/3] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-07 16:35 ` [RFC PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-07 17:34 ` Junio C Hamano
2022-05-07 18:56 ` Carlo Marcelo Arenas Belón
2022-05-09 16:54 ` Junio C Hamano
2022-05-09 17:36 ` rsbecker
2022-05-09 18:48 ` Carlo Arenas
2022-05-09 19:16 ` rsbecker
2022-05-09 19:41 ` Junio C Hamano [this message]
2022-05-07 16:35 ` [RFC PATCH v4 3/3] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-10 14:17 ` [RFC PATCH v4 0/3] fix `sudo make install` regression in maint Phillip Wood
2022-05-10 15:47 ` Carlo Arenas
2022-05-10 17:46 ` [PATCH " Carlo Marcelo Arenas Belón
2022-05-10 17:46 ` [PATCH v4 1/3] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-10 22:10 ` Junio C Hamano
2022-05-10 23:11 ` Carlo Arenas
2022-05-10 23:44 ` Junio C Hamano
2022-05-11 0:56 ` Carlo Arenas
2022-05-11 1:11 ` Junio C Hamano
2022-05-10 17:46 ` [PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-10 22:57 ` Junio C Hamano
2022-05-11 7:34 ` Carlo Arenas
2022-05-11 14:58 ` Junio C Hamano
2022-05-10 17:46 ` [PATCH v4 3/3] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-10 23:11 ` Junio C Hamano
2022-05-10 23:25 ` Junio C Hamano
2022-05-11 14:04 ` Carlo Arenas
2022-05-11 15:29 ` Junio C Hamano
2022-05-13 1:00 ` [PATCH v5 0/4] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-13 1:00 ` [PATCH v5 1/4] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-06-03 12:12 ` SZEDER Gábor
2022-05-13 1:00 ` [PATCH v5 2/4] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-06-03 11:05 ` SZEDER Gábor
2022-06-03 16:54 ` Junio C Hamano
2022-06-03 17:34 ` SZEDER Gábor
2022-05-13 1:00 ` [PATCH v5 3/4] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-13 1:20 ` Junio C Hamano
2022-05-14 14:36 ` Carlo Arenas
2022-05-15 16:54 ` Junio C Hamano
2022-05-15 19:21 ` Carlo Arenas
2022-05-16 5:27 ` Junio C Hamano
2022-05-16 13:07 ` Carlo Marcelo Arenas Belón
2022-05-16 16:25 ` Junio C Hamano
2022-05-13 1:00 ` [PATCH v5 4/4] git-compat-util: allow root to access both SUDO_UID and root owned Carlo Marcelo Arenas Belón
2022-06-15 14:02 ` Johannes Schindelin
2022-06-17 14:26 ` Carlo Arenas
2022-06-17 16:00 ` Junio C Hamano
2022-06-17 20:23 ` [PATCH v6] " Carlo Marcelo Arenas Belón
2022-06-17 21:02 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq7d6ucx4c.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=bagasdotme@gmail.com \
--cc=carenas@gmail.com \
--cc=git@vger.kernel.org \
--cc=guy.j@maurel.de \
--cc=phillip.wood123@gmail.com \
--cc=rsbecker@nexbridge.com \
--cc=szeder.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.