Re: what are the chances of a 'pre-upload' hook?

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jeff King <peff@peff.net>
To: Sitaram Chamarty <sitaramc@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>
Subject: Re: what are the chances of a 'pre-upload' hook?
Date: Fri, 25 Nov 2011 09:40:07 -0500	[thread overview]
Message-ID: <20111125144007.GA4047@sigill.intra.peff.net> (raw)
In-Reply-To: <CAMK1S_gh_CsWc-DnbOuUwn+H1i3skm99xzDbWe-wxsKKS0Qw-w@mail.gmail.com>

On Fri, Nov 25, 2011 at 09:43:14AM +0530, Sitaram Chamarty wrote:

> The quick summary, in the words of Jeff (second post in that link) is:
> "Because [upload]-pack runs as the user who is [fetching], not as the
> repository owner. So by convincing you to [fetch from] my repository
> in a multi-user environment, I convince you to run some arbitrary code
> of mine."
> 
> My contention (today) is:
> 
>   - you're already taking that risk for push
>   - so this would add a new risk only for people who fetch but don't push
>   - which, I submit, is a very small (if not almost empty) set of people
> 
> I may be wrong but I imagine shared environments are those where
> almost everyone will push at least once in a while.  It's a closed
> group of people, probably all developers, etc etc etc...

One thing to note is that this is _only_ an issue on systems where the
user running upload-pack (or receive-pack, for push) is not the same as
the user who owns the hooks directory. So basically two situations:

  1. Alice and Bob are developers on a multi-user system with ssh
     access. Alice will run "git fetch ~bob/project.git" or "git fetch
     alice@server:~bob/project.git". She executes Bob's hooks as
     herself on the server.

  2. Somebody runs a git:// server, locked down under a "git" user (or a
     smart-http server, under a "www" account).  If users of the service
     can write their own hooks, they will run as the "git" user.

But there are many situations that don't fall under this umbrella. In
(1), maybe Alice and Bob decide that they trust each other enough, and
the hook is more important than the security issue. In (2), users of the
service might not be able to write their own hooks (this is the case for
GitHub, and I assume also for Gerrit).

There should be a way for people who aren't in one of those dangerous
situations to be able to use a hook. The important thing is to set the
defaults in such a way that the people who _are_ in that situation
aren't left in a vulnerable situation.

The easiest way would be something like a "trust remote hooks"
environment variable, off by default. Admins in situation (2) could set
it for their git-daemon (or webserver, or whatever, or
gitolite-over-ssh), once they decided it was safe.

It could also help with (1), but I think you would need to take special
steps to propagate the variable in the "git fetch server:project.git"
case.

-Peff

next prev parent reply	other threads:[~2011-11-25 14:40 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-25  3:16 what are the chances of a 'pre-upload' hook? Sitaram Chamarty
2011-11-25  3:18 ` Martin Fick
2011-11-25  3:22   ` Martin Fick
2011-11-25  4:13 ` Sitaram Chamarty
2011-11-25 13:09   ` Andreas Ericsson
2011-11-25 16:18     ` Sitaram Chamarty
2011-11-25 14:40   ` Jeff King [this message]
2011-11-26 22:34     ` Junio C Hamano
2011-11-26 22:55       ` Jeff King
2011-11-26 23:13         ` Junio C Hamano
2011-11-26 23:31           ` Jeff King
     [not found]             ` <CAPc5daXY_4aimugj8Z4BFE8YvBSM1K+evPU69rLGH5ETo6PO=Q@mail.gmail.com>
2011-11-26 23:51               ` Jeff King
     [not found]                 ` <CAPc5daUodry_=6pZxA=QOpuRUj9C2ed9Gzp6E1_G93iGfOOvOA@mail.gmail.com>
2011-11-27  0:06                   ` Jeff King
2011-11-27  8:56                     ` Junio C Hamano
2011-11-27 13:16                       ` Sitaram Chamarty
2011-11-28  6:41                         ` Junio C Hamano
2011-11-28  8:01                           ` Jeff King
2011-11-28  9:21                             ` Sitaram Chamarty
2011-11-28  8:17                           ` Sitaram Chamarty
2011-11-28  8:27                             ` Jeff King
2011-11-27  7:51             ` Junio C Hamano
2011-11-28  7:51               ` Jeff King
2011-11-28  8:17                 ` Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111125144007.GA4047@sigill.intra.peff.net \
    --to=peff@peff.net \
    --cc=git@vger.kernel.org \
    --cc=sitaramc@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).