[PATCH v2] Improve the filemode trustability check

Git development
 help / color / mirror / Atom feed

* [PATCH v2] Improve the filemode trustability check
@ 2014-11-20 11:49 Torsten Bögershausen
  2014-11-20 17:55 ` Junio C Hamano
  0 siblings, 1 reply; 2+ messages in thread
From: Torsten Bögershausen @ 2014-11-20 11:49 UTC (permalink / raw)
  To: git; +Cc: tboegi

Some file systems do not support the executable bit:
a) The user executable bit is always 0, e.g. VFAT mounted with -onoexec
b) The user executable bit is always 1, e.g. cifs mounted with -ofile_mode=0755
c) There are system where user executable bit is 1 even if it should be 0
   like b), but the file mode can be maintained locally. chmod -x changes the
   file mode from 0766 to 0666, until the file system is unmounted and
   remounted and the file mode is 0766 again.
   This been observed when a Windows machine with NTFS exports a share to
   Mac OS X via smb or afp.

Case a) and b) are handled by the current code.
Case c) qualifies as "non trustable executable bit" and core.filemode
should be false, but this is currently not done.

Detect when ".git/config" has the user executable bit set after
creat(".git/config", 0666) and set core.filemode to false.

Signed-off-by: Torsten Bögershausen <tboegi@web.de>
---
Changes since V1:
- Improved commit msg (hopefully)
- Simplified the patch
 builtin/init-db.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/builtin/init-db.c b/builtin/init-db.c
index aab44d2..195a88b 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -252,7 +252,8 @@ static int create_default_files(const char *template_path)
 	filemode = TEST_FILEMODE;
 	if (TEST_FILEMODE && !lstat(path, &st1)) {
 		struct stat st2;
-		filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
+		filemode = (!(st1.st_mode & S_IXUSR) &&
+				!chmod(path, st1.st_mode ^ S_IXUSR) &&
 				!lstat(path, &st2) &&
 				st1.st_mode != st2.st_mode &&
 				!chmod(path, st1.st_mode));
-- 
2.0.0.GIT

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] Improve the filemode trustability check
  2014-11-20 11:49 [PATCH v2] Improve the filemode trustability check Torsten Bögershausen
@ 2014-11-20 17:55 ` Junio C Hamano
  0 siblings, 0 replies; 2+ messages in thread
From: Junio C Hamano @ 2014-11-20 17:55 UTC (permalink / raw)
  To: Torsten Bögershausen; +Cc: git

Torsten Bögershausen <tboegi@web.de> writes:

> Some file systems do not support the executable bit:
> a) The user executable bit is always 0, e.g. VFAT mounted with -onoexec
> b) The user executable bit is always 1, e.g. cifs mounted with -ofile_mode=0755
> c) There are system where user executable bit is 1 even if it should be 0
>    like b), but the file mode can be maintained locally. chmod -x changes the
>    file mode from 0766 to 0666, until the file system is unmounted and
>    remounted and the file mode is 0766 again.
>    This been observed when a Windows machine with NTFS exports a share to
>    Mac OS X via smb or afp.
>
> Case a) and b) are handled by the current code.
> Case c) qualifies as "non trustable executable bit" and core.filemode
> should be false, but this is currently not done.
>
> Detect when ".git/config" has the user executable bit set after
> creat(".git/config", 0666) and set core.filemode to false.

Is this codepath reached _only_ and immediately after creat(0666) of
the config file in the same process?  The function has a local
variable reinit, which is returned to the caller to help it decide
if we are re-initializing an existing repository, so I suspect that
the call to git_config_set() before this part of the code may not
necessarily be creating the file [*1*].

I _think_ in the reinit case that makes us rewrite an existing
config file, the mode bits are propagated to the new file we just
wrote from the old one; checking st1.st_mode is therefore seeing
not what create(0666) gave us but whatever random bits the user had
on the original.

Which is probably not a useful source of information to gauge the
characterisic of the filesystem, no?

[Footnote]

*1* We may have been asked to reinitialize and update an existing
repository that was created with the same or older repository format
number.

> Signed-off-by: Torsten Bögershausen <tboegi@web.de>
> ---
> Changes since V1:
> - Improved commit msg (hopefully)
> - Simplified the patch
>  builtin/init-db.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/builtin/init-db.c b/builtin/init-db.c
> index aab44d2..195a88b 100644
> --- a/builtin/init-db.c
> +++ b/builtin/init-db.c
> @@ -252,7 +252,8 @@ static int create_default_files(const char *template_path)
>  	filemode = TEST_FILEMODE;
>  	if (TEST_FILEMODE && !lstat(path, &st1)) {
>  		struct stat st2;
> -		filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
> +		filemode = (!(st1.st_mode & S_IXUSR) &&
> +				!chmod(path, st1.st_mode ^ S_IXUSR) &&
>  				!lstat(path, &st2) &&
>  				st1.st_mode != st2.st_mode &&
>  				!chmod(path, st1.st_mode));

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-11-20 17:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-20 11:49 [PATCH v2] Improve the filemode trustability check Torsten Bögershausen
2014-11-20 17:55 ` Junio C Hamano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox