From: Jeff King <peff@peff.net>
To: Hui Yiqun <huiyiqun@gmail.com>
Cc: git@vger.kernel.org, gitster@pobox.com, pickfire@riseup.net
Subject: Re: [PATCH/RFC/GSoC 1/3] path.c: implement xdg_runtime_dir()
Date: Wed, 16 Mar 2016 13:06:23 -0400 [thread overview]
Message-ID: <20160316170623.GB4039@sigill.intra.peff.net> (raw)
In-Reply-To: <1458122865-29447-1-git-send-email-huiyiqun@gmail.com>
On Wed, Mar 16, 2016 at 06:07:43PM +0800, Hui Yiqun wrote:
> + if (runtime_dir && *runtime_dir)
> + git_runtime_dir = mkpathdup("%s/git/", runtime_dir);
> + else
> + git_runtime_dir = mkpathdup("/tmp/git-%d", uid);
Here we allocate the string, but later we may return NULL on error,
leaking the allocated memory.
> + if (!lstat(git_runtime_dir, &st)) {
> + /*
> + * As described in XDG base dir spec[1], the subdirectory
> + * under $XDG_RUNTIME_DIR or its fallback MUST be owned by
> + * the user, and its unix access mode MUST be 0700.
> + *
> + * Calling chmod or chown silently may cause security
> + * problem if somebody chdir to it, sleep, and then, try
> + * to open our protected runtime cache or socket.
> + * So we just put warning and left it to user to solve.
> + *
> + * [1]https://specifications.freedesktop.org/basedir-spec/
> + * basedir-spec-latest.html
> + */
OK. I think these checks should be sufficient to deal with the /tmp race
I mentioned elsewhere in the thread (assuming that an attacker cannot
flip the uid back and forth in the same way, but that should be true on
Unix systems).
> + if ((st.st_mode & 0777) != S_IRWXU) {
> + fprintf(stderr,
> + "permission of runtime directory '%s' "
> + "MUST be 0700 instead of 0%o\n",
> + git_runtime_dir, (st.st_mode & 0777));
> + return NULL;
> + } else if (st.st_uid != uid) {
> + fprintf(stderr,
> + "owner of runtime directory '%s' "
> + "MUST be %d instead of %d\n",
> + git_runtime_dir, uid, st.st_uid);
> + return NULL;
> + }
Should these be using warning(), rather than a raw fprintf?
> + } else {
> + if (safe_create_leading_directories_const(git_runtime_dir) < 0) {
> + fprintf(stderr,
> + "unable to create directories for '%s'\n",
> + git_runtime_dir);
> + return NULL;
> + }
> + if (mkdir(git_runtime_dir, 0700) < 0) {
> + fprintf(stderr,
> + "unable to mkdir '%s'\n", git_runtime_dir);
> + return NULL;
> + }
> + }
And this retains the un-racy mkdir(). Good.
> + free(git_runtime_dir);
> + return mkpathdup("%s/%s", git_runtime_dir, filename);
This mkpathdup accesses the string we just freed?
It might be easier to just use a strbuf here, and then you can append to
it at the end.
-Peff
next prev parent reply other threads:[~2016-03-16 17:06 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-14 14:47 [GSOC] Microproject "Move ~/.git-credential-cache to ~/.config/git" 惠轶群
2016-03-14 15:42 ` Junio C Hamano
2016-03-14 19:53 ` 惠轶群
2016-03-14 20:33 ` Junio C Hamano
2016-03-15 1:32 ` 惠轶群
2016-03-15 2:14 ` Your friend
[not found] ` <CAKqreux-m3yHVsEQXdf+8vMNZwC0UCMBWnzbaqYJbdEEM14qiQ@mail.gmail.com>
2016-03-15 5:56 ` Ivan Tham
2016-03-15 3:13 ` Jeff King
[not found] ` <CAKqreuwv+RRziS-NcaLYZYUN0_KrfgZSe6wp0wGBza4q3_x8RA@mail.gmail.com>
2016-03-15 19:21 ` Jeff King
2016-03-16 10:45 ` 惠轶群
2016-03-16 10:07 ` [PATCH/RFC/GSoC 1/3] path.c: implement xdg_runtime_dir() Hui Yiqun
2016-03-16 10:07 ` [PATCH/RFC/GSoC 2/3] git-credential-cache: put socket to xdg-compatible path Hui Yiqun
2016-03-17 10:26 ` 惠轶群
2016-03-16 10:07 ` [PATCH/RFC/GSoC 3/3] t0301: test credential-cache support of XDG_RUNTIME_DIR Hui Yiqun
2016-03-16 16:17 ` Junio C Hamano
2016-03-16 16:40 ` 惠轶群
2016-03-16 16:55 ` Jeff King
2016-03-16 17:24 ` Junio C Hamano
2016-03-17 3:59 ` 谭俊浩
2016-03-17 8:12 ` Junio C Hamano
2016-03-17 10:10 ` 惠轶群
2016-03-17 9:45 ` 惠轶群
2016-03-16 17:15 ` Jeff King
2016-03-18 4:35 ` 惠轶群
[not found] ` <CAKqreuw7Am_wZQjYYjvsxx0Ccr4OOwoF=EnLvMTK9jxeBUFv5Q@mail.gmail.com>
2016-03-18 5:00 ` Jeff King
2016-03-18 5:11 ` 惠轶群
2016-03-18 6:02 ` 惠轶群
2016-03-18 6:12 ` [PATCH] credential-cache--daemon: clarify "exit" action semantics Jeff King
2016-03-16 17:06 ` Jeff King [this message]
2016-03-17 10:20 ` [PATCH/RFC/GSoC 1/3] path.c: implement xdg_runtime_dir() 惠轶群
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160316170623.GB4039@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=huiyiqun@gmail.com \
--cc=pickfire@riseup.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).