From: Jonathan Nieder <jrnieder@gmail.com>
To: Taylor Blau <me@ttaylorr.com>
Cc: git@vger.kernel.org,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Junio C Hamano <gitster@pobox.com>
Subject: Re: Too-loose checks for applying safe.directory rules?
Date: Tue, 12 Apr 2022 22:26:07 -0700 [thread overview]
Message-ID: <YlZe766xu9mHWNdy@google.com> (raw)
In-Reply-To: <YlZJGbcNzSp5yNN1@nand.local>
(+cc: git@vger, git-security -> bcc)
Hi,
Taylor Blau wrote:
> Hi all,
>
> I was skimming the Hacker News comments on my blog post covering the
> latest pair of CVEs, and this[1] comment stuck out to me.
>
> Looking at 8959555cee (setup_git_directory(): add an owner check for the
> top-level directory, 2022-03-02), I wonder why the `safe_directory_cb()`
> callback doesn't bother to check that `key` is `safe.directory`.
>
> Indeed, our checks seem too loose here. Initializing a repository as
> root:
>
> $ su
> # git init repo
>
> Then trying to run "git status" inside of that repo as my normal user
> gives the expected error:
>
> $ git status
> fatal: unsafe repository ('/home/repo' is owned by someone else)
> To add an exception for this directory, call:
>
> git config --global --add safe.directory /home/repo
>
> But doing the following:
>
> $ git config --global --add foo.bar /home/repo
>
> tricks Git into thinking that _any_ value which looks like a path in the
> "early config" scope can be interpreted as if the key were
> safe.directory, even when it is not:
>
> $ git status
> On branch master
>
> No commits yet
>
> nothing to commit (create/copy files and use "git add" to track)
>
> The author of [1] sent a PR to the git/git repo on GitHub [2], so I
> don't think there's any value in doing another coordinated release here.
Thanks, Taylor. I'm taking the liberty of moving to the main Git list.
> We should certainly fix this before 2.36 is released, but should
> probably apply those patches down to the suite of minor versions
> released today, too.
>
> It's entirely possible I'm holding it wrong and/or missing something
> here, and I'd be happy to be wrong here.
>
> Thanks,
> Taylor
>
> [1]: https://news.ycombinator.com/item?id=31010604
> [2]: https://github.com/git/git/pull/1235
Thanks,
Jonathan
next parent reply other threads:[~2022-04-13 5:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <YlZJGbcNzSp5yNN1@nand.local>
2022-04-13 5:26 ` Jonathan Nieder [this message]
2022-04-26 11:08 ` Too-loose checks for applying safe.directory rules? CB Bailey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YlZe766xu9mHWNdy@google.com \
--to=jrnieder@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=me@ttaylorr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).