From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>,
"W. Michael Petullo" <mike@flyn.org>,
git@vger.kernel.org
Subject: Re: Git clone reads safe.directory differently?
Date: Wed, 31 Jul 2024 09:23:49 -0700 [thread overview]
Message-ID: <xmqqo76d7coa.fsf@gitster.g> (raw)
In-Reply-To: <20240731072832.GB595974@coredump.intra.peff.net> (Jeff King's message of "Wed, 31 Jul 2024 03:28:32 -0400")
Jeff King <peff@peff.net> writes:
> It could be that "clone" should try to avoid a "--local" clone from a
> repo with different ownership, if the local hardlink path is more
> dangerous. But that distinction is not something upload-pack even knows
> about, so the code would have to go into clone.
Sounds good.
> And then upload-pack
> could be free to drop the ownership check. Certainly a lot of people
> have complained about it (I had actually thought we reverted it in
> v2.45.2, but that was just the extra hooks defense-in-depth; so again, I
> may be getting confused about the extra value of the enter_repo()
> ownership check that came at the same time).
As enter_repo() is about the protocol driver thing and not about
normal users working inside a repository, calls to it appear only in
receive-pack, upload-pack, upload-archive, http-backend, and daemon.
Among them, upload-pack is the only thing we promise that is safe to
work even in a hostile repository? If we push into a repository
over the local transport, we would trigger post-receive hook as
ourselves, which we would probably not want. The same story goes
for daemon, http-backend, and upload-archive.
So we probably need to add another axis to the "strict" parameter
enter_repo() takes to selectively disable the ownership checks only
for upload-pack, or something like that.
We may want to restrict "tar.<format>.command" only to protected
configuration and then we may be able to loosen the ownership check
for the upload-archive command.
Thanks.
next prev parent reply other threads:[~2024-07-31 16:23 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-27 16:14 Git clone reads safe.directory differently? W. Michael Petullo
2024-07-27 21:58 ` Jeff King
2024-07-28 15:27 ` W. Michael Petullo
2024-07-28 22:48 ` Jeff King
2024-07-30 11:37 ` W. Michael Petullo
2024-07-30 22:28 ` brian m. carlson
2024-07-30 22:49 ` Junio C Hamano
2024-07-30 22:55 ` Junio C Hamano
2024-07-30 23:05 ` brian m. carlson
2024-07-31 7:28 ` Jeff King
2024-07-31 16:23 ` Junio C Hamano [this message]
2024-07-31 22:08 ` Junio C Hamano
2024-08-01 6:14 ` Jeff King
2024-08-01 14:59 ` Junio C Hamano
2024-08-01 21:26 ` brian m. carlson
2024-08-01 21:52 ` Junio C Hamano
2024-08-05 9:47 ` Jeff King
2024-08-05 15:34 ` W. Michael Petullo
2024-08-05 15:49 ` Junio C Hamano
2024-08-01 6:08 ` Jeff King
2024-07-31 7:19 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqo76d7coa.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=mike@flyn.org \
--cc=peff@peff.net \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.