From: Jeff King <peff@peff.net>
To: 惠轶群 <huiyiqun@gmail.com>
Cc: Junio C Hamano <gitster@pobox.com>,
git@vger.kernel.org, Your friend <pickfire@riseup.net>
Subject: Re: [PATCH/RFC/GSoC 3/3] t0301: test credential-cache support of XDG_RUNTIME_DIR
Date: Wed, 16 Mar 2016 12:55:28 -0400 [thread overview]
Message-ID: <20160316165527.GA4039@sigill.intra.peff.net> (raw)
In-Reply-To: <CAKqreuwRpS3uP6=afm-0pBkPW0-bqoJconnKO5q3qTgZwdU_xQ@mail.gmail.com>
On Thu, Mar 17, 2016 at 12:40:59AM +0800, 惠轶群 wrote:
> > Is it better to have the fallback in /tmp, and not in
> > ~/.git-credential-cache/, and why?
> >
> > Is it because the wish is to always use /tmp/git-$uid/ as a fallback
> > for $XDG_RUNTIME_DIR (as opposed to ~/.git-credential-cache/, which
> > is specific to the credential-cache and would look strange if we
> > used it for other "runtime" things)?
>
> Yes, I mean to use it as a general fallback for git.
>
> xdg base dir spec does not specify where to fallback when
> $XDG_RUNTIME_DIR is not defined. It just says:
>
> If $XDG_RUNTIME_DIR is not set applications should fall back to
> a replacement directory with similar capabilities and print a warning
> message. Applications should use this directory for communication
> and synchronization purposes and should not place larger files in it,
> since it might reside in runtime memory and cannot necessarily be
> swapped out to disk.
>
> tmpfs is just like what it describes. And many other applications
> put socket under which, such as tmux.
>
> On the other hand, I think, falling back to $HOME/.git-credential-cache/socket
> doesn't make any sense for back-compability cannot be ensured.
If we are going to use a publicly accessible directory like /tmp, I
think we need to start worrying about tmp-races with malicious users.
Right now we make sure that an existing socket directory is mode 0700.
That's just a courtesy check that the user didn't create it themselves
with a permissive mode. But we don't check the owner of the directory,
and our check is racy with accessing the directory.
So if we blindly use an existing /tmp/git-$uid, I think an attacker can
race with:
dir=/tmp/git-$victimuid
mkdir $dir
while true; do
chmod 0700 $dir
chmod 0777 $dir
done
If the victim does their mode check while the 0700 is in effect, but
then creates the socket during the 0777 moment, they won't notice
anything amiss. And the attacker will have access to their credential
socket.
This is a classic /tmp race. I imagine it's less of an issue in this
day and age when people mostly have their own machines and their own
/tmp, but we still should not recreate the mistakes of the past.
-Peff
next prev parent reply other threads:[~2016-03-16 16:55 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-14 14:47 [GSOC] Microproject "Move ~/.git-credential-cache to ~/.config/git" 惠轶群
2016-03-14 15:42 ` Junio C Hamano
2016-03-14 19:53 ` 惠轶群
2016-03-14 20:33 ` Junio C Hamano
2016-03-15 1:32 ` 惠轶群
2016-03-15 2:14 ` Your friend
[not found] ` <CAKqreux-m3yHVsEQXdf+8vMNZwC0UCMBWnzbaqYJbdEEM14qiQ@mail.gmail.com>
2016-03-15 5:56 ` Ivan Tham
2016-03-15 3:13 ` Jeff King
[not found] ` <CAKqreuwv+RRziS-NcaLYZYUN0_KrfgZSe6wp0wGBza4q3_x8RA@mail.gmail.com>
2016-03-15 19:21 ` Jeff King
2016-03-16 10:45 ` 惠轶群
2016-03-16 10:07 ` [PATCH/RFC/GSoC 1/3] path.c: implement xdg_runtime_dir() Hui Yiqun
2016-03-16 10:07 ` [PATCH/RFC/GSoC 2/3] git-credential-cache: put socket to xdg-compatible path Hui Yiqun
2016-03-17 10:26 ` 惠轶群
2016-03-16 10:07 ` [PATCH/RFC/GSoC 3/3] t0301: test credential-cache support of XDG_RUNTIME_DIR Hui Yiqun
2016-03-16 16:17 ` Junio C Hamano
2016-03-16 16:40 ` 惠轶群
2016-03-16 16:55 ` Jeff King [this message]
2016-03-16 17:24 ` Junio C Hamano
2016-03-17 3:59 ` 谭俊浩
2016-03-17 8:12 ` Junio C Hamano
2016-03-17 10:10 ` 惠轶群
2016-03-17 9:45 ` 惠轶群
2016-03-16 17:15 ` Jeff King
2016-03-18 4:35 ` 惠轶群
[not found] ` <CAKqreuw7Am_wZQjYYjvsxx0Ccr4OOwoF=EnLvMTK9jxeBUFv5Q@mail.gmail.com>
2016-03-18 5:00 ` Jeff King
2016-03-18 5:11 ` 惠轶群
2016-03-18 6:02 ` 惠轶群
2016-03-18 6:12 ` [PATCH] credential-cache--daemon: clarify "exit" action semantics Jeff King
2016-03-16 17:06 ` [PATCH/RFC/GSoC 1/3] path.c: implement xdg_runtime_dir() Jeff King
2016-03-17 10:20 ` 惠轶群
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160316165527.GA4039@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=huiyiqun@gmail.com \
--cc=pickfire@riseup.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).