git-daemon is insecure? (was: [RFC] Secure central repositories)

["Shawn O. Pearce" <spearce@spearce.org>]

Junio C Hamano <gitster@pobox.com> wrote:
> "Shawn O. Pearce" <spearce@spearce.org> writes:
> > This change allows any repository owner to setup a git-daemon
> > that other users on the same host can connect through to perform
> > upload-pack or receive-pack.
> 
> My reading of this is that it creates a backdoor for people who
[...]
> In addition to having to worry about
> the in-repo data properly being protected from people outside
> the group, you now need to worry about the access through that
> backdoor does not extend outside of the repository.  E.g. the
> repository owner's $HOME that is outside the repository would be
> writable that owner, but is not meant to be accessible by
> project participants.  If you allow others to "run as" you, the
> only thing that forbids that process running as you from
> accessing $HOME is an additional audit of git-daemon and the
> programs it spawns.

So you are partially suggesting that git-daemon isn't thought to
be secure, and that anything readable by the user that git-daemon
is running as is fully exposed to the public Internet.  So the
access control attempts relating to --base-path or the check for
git-daemon-export-ok shouldn't really be trusted or relied upon.

If that really is the case, perhaps git-daemon should be audited
and hardened further.  Last I checked, we encouraged people to run
it to offer anonymous access to repositories, and the documentation
suggests there are publishing access controls that actually work.
If those controls cannot be trusted then we shouldn't encourage
running git-daemon on untrusted networks.


With regards to this patch, yes, you can export your entire $HOME
and maybe expose things you shouldn't or didn't want to.  But even
without git installed you could do this:

	cp /bin/bash /tmp/be-like-mike
	chown $USER /tmp/be-like-mike
	chmod 777 /tmp/be-like-mike
	chmod u+s /tmp/be-like-mike
	wall "try out /tmp/be-like-mike today"

but why would anyone do something that foolish?  UNIX provides the
tools to do this, because there are cases where it can be useful,
but really, you have to be nuts to export all of $HOME.

-- 
Shawn.