From: Jeff King <peff@peff.net>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: Sitaram Chamarty <sitaramc@gmail.com>,
Junio C Hamano <gitster@pobox.com>,
Ethan Reesor <firelizzard@gmail.com>,
git@vger.kernel.org, Ramkumar Ramachandra <artagnon@gmail.com>,
Greg Brockman <gdb@mit.edu>
Subject: Re: [RFC/PATCH] shell: allow 'help' command to disable interactive shell
Date: Sun, 10 Feb 2013 23:45:11 -0500 [thread overview]
Message-ID: <20130211044511.GA12809@sigill.intra.peff.net> (raw)
In-Reply-To: <20130211012016.GA13243@elie.Belkin>
On Sun, Feb 10, 2013 at 05:20:16PM -0800, Jonathan Nieder wrote:
> diff --git a/shell.c b/shell.c
> index 84b237fe..3abc2b84 100644
> --- a/shell.c
> +++ b/shell.c
> @@ -63,10 +63,16 @@ static void cd_to_homedir(void)
>
> static void run_shell(void)
> {
> - int done = 0;
> + int done = 0, status;
> static const char *help_argv[] = { HELP_COMMAND, NULL };
> /* Print help if enabled */
> - run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE);
> + status = run_command_v_opt(help_argv, RUN_SILENT_EXEC_FAILURE);
> + if (!status)
> + ; /* success */
> + else if (status == -1 && errno == ENOENT)
> + ; /* help disabled */
> + else
> + exit(status);
One final comment on this. I believe we convert an exit code of 127 from
the child into ENOENT. So something like:
#!/bin/sh
echo >&2 "Sorry, no interactive shells allowed."
exti 1
would actually go into the "help disabled" code path and accidentally
run an interactive shell. I wondered if this is something that might
happen accidentally (since the old semantics of "help" were that exit
code did not matter), and if there might be security implications to
entering an interactive shell. But I think we are OK for two reasons:
1. An old script would not be trying to exit with failure and
expecting to abort the interactive session; that is a new feature
you are adding. So even if we accidentally exit 127 (because the
old script relied on a missing command), it is not changing the
semantics.
2. Even if we accidentally do enter the interactive prompt, it should
not be a security issue. It is not like you can then run arbitrary
commands; unless you have put something else into
~/git-shell-commands, the user can only run "help" over and over.
Maybe obvious, but I wanted to note it as part of the review. I think we
need to be extra careful with thinking through git-shell security
implications, since it is a major potential attack surface for many git
setups.
-Peff
next prev parent reply other threads:[~2013-02-11 4:45 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-10 21:05 Git prompt Ethan Reesor
2013-02-10 21:25 ` Jonathan Nieder
2013-02-10 21:54 ` Ethan Reesor
2013-02-10 22:43 ` Jeff King
2013-02-10 22:54 ` Junio C Hamano
2013-02-11 0:43 ` Sitaram Chamarty
2013-02-11 1:20 ` [RFC/PATCH] shell: allow 'help' command to disable interactive shell Jonathan Nieder
2013-02-11 3:44 ` Junio C Hamano
2013-02-11 4:17 ` Jonathan Nieder
2013-02-11 4:30 ` Junio C Hamano
2013-02-11 4:32 ` Jonathan Nieder
2013-02-11 4:36 ` Jeff King
2013-02-11 5:22 ` Junio C Hamano
2013-02-11 5:57 ` Ethan Reesor
2013-02-11 6:07 ` Ethan Reesor
2013-02-11 6:09 ` Jonathan Nieder
2013-02-11 6:11 ` Ethan Reesor
2013-02-11 6:15 ` Jonathan Nieder
2013-02-11 6:22 ` Ethan Reesor
2013-02-11 6:14 ` Jonathan Nieder
2013-02-11 7:01 ` Junio C Hamano
2013-02-11 7:12 ` Jonathan Nieder
2013-02-11 7:17 ` Junio C Hamano
2013-02-11 7:21 ` Jonathan Nieder
2013-02-11 7:44 ` Junio C Hamano
2013-02-11 8:13 ` Jonathan Nieder
2013-02-11 16:17 ` Junio C Hamano
2013-02-11 16:00 ` Jeff King
2013-02-11 17:18 ` Junio C Hamano
2013-02-11 17:27 ` Jeff King
2013-02-11 7:18 ` Ethan Reesor
2013-02-11 7:15 ` Ethan Reesor
2013-02-11 7:22 ` Junio C Hamano
2013-02-11 7:26 ` Ethan Reesor
2013-02-11 7:28 ` Junio C Hamano
2013-02-11 3:59 ` Jeff King
2013-02-11 4:14 ` Jonathan Nieder
2013-02-11 4:17 ` Jeff King
2013-02-11 4:26 ` Jonathan Nieder
2013-02-11 4:33 ` Jeff King
2013-02-11 5:56 ` [PATCH 0/2 v2] " Jonathan Nieder
2013-02-11 5:57 ` [PATCH 1/2] shell doc: emphasize purpose and security model Jonathan Nieder
2013-02-11 7:10 ` Junio C Hamano
2013-02-11 7:13 ` Jonathan Nieder
2013-02-11 18:32 ` Junio C Hamano
2013-02-11 5:58 ` [PATCH 2/2] shell: pay attention to exit status from 'help' command Jonathan Nieder
2013-02-11 6:06 ` Ethan Reesor
2013-02-11 7:15 ` Junio C Hamano
2013-02-11 7:52 ` Jonathan Nieder
2013-02-11 16:28 ` Junio C Hamano
2013-02-11 4:45 ` Jeff King [this message]
2013-03-09 21:52 ` [PATCH v3 0/2] shell: allow 'no-interactive-login' command to disable interactive shell Jonathan Nieder
2013-03-09 21:55 ` [PATCH 1/2] shell doc: emphasize purpose and security model Jonathan Nieder
2013-03-09 22:00 ` [PATCH 2/2] shell: new no-interactive-login command to print a custom message Jonathan Nieder
2013-03-10 5:04 ` Junio C Hamano
2013-03-10 5:21 ` Jonathan Nieder
2013-03-10 10:49 ` Ramkumar Ramachandra
2013-03-11 22:48 ` Jonathan Nieder
2013-03-12 10:47 ` [PATCH v3 0/2] shell: allow 'no-interactive-login' command to disable interactive shell Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130211044511.GA12809@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=artagnon@gmail.com \
--cc=firelizzard@gmail.com \
--cc=gdb@mit.edu \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=sitaramc@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).