From: Junio C Hamano <gitster@pobox.com>
To: "Carlo Marcelo Arenas Belón" <carenas@gmail.com>
Cc: git@vger.kernel.org, szeder.dev@gmail.com
Subject: Re: [PATCH 1/2] Documentation: explain how safe.directory works when running under sudo
Date: Wed, 27 Apr 2022 22:17:27 -0700 [thread overview]
Message-ID: <xmqqlevphjmg.fsf@gitster.g> (raw)
In-Reply-To: <20220428033544.68188-2-carenas@gmail.com> ("Carlo Marcelo Arenas Belón"'s message of "Wed, 27 Apr 2022 20:35:43 -0700")
Carlo Marcelo Arenas Belón <carenas@gmail.com> writes:
> In a previous patch, the behaviour of git was changed so it will be able
> to find the "effective uid" that is required when git was invoked with
> sudo to root, for example:
>
> $ sudo make install
>
> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
> ---
> Documentation/config/safe.txt | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt
> index 6d764fe0ccf..67f8ef5d766 100644
> --- a/Documentation/config/safe.txt
> +++ b/Documentation/config/safe.txt
> @@ -26,3 +26,11 @@ directory was listed in the `safe.directory` list. If `safe.directory=*`
> is set in system config and you want to re-enable this protection, then
> initialize your list with an empty value before listing the repositories
> that you deem safe.
> ++
> +When git tries to check for ownership of git repositories it will obviously
Comma before "it will obviously".
> +use the user that is being used to run git itself, but if git is running
> +as root, it will first check if it might had been started through `sudo`,
> +and if that is the case, will use the user id that invoked sudo instead.
This raises a design question. In a repository is owned by root,
shouldn't "sudo git describe" work? IOW, I am wondering if the
"instead" at the end of the description is what we want, or if we
want to check both the original user and "root".
There is not much point in protecting against a malicious repository
a repository that is owned by "root"---an attacker that can create
such a repository and futz with its config or hooks can attack you
more directly, without social engineering you into using git on such
a repository. So from that point of view, it may be reasonable to
say that we can trust repositories owned by
- euid (both when euid is root and euid is not root)
- SUDO_UID (when euid is root)
I think. And even if we adopt such a tweak, ...
> +If that is not what you would prefer and want git to instead only trust
> +repositories that are owned by root, then you should remove the `SUDO_UID`
> +variable from root's environment.
... this is still true.
I guess the necessary tweak to the code, if we were to take that
suggestion, would be quite small. We are happy when euid owns the
path (regardless of who euid is), and in addition, only when euid
is root, we check with SUDO_UID, too.
git-compat-util.h | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git c/git-compat-util.h w/git-compat-util.h
index dfdd3e4f81..18660553b3 100644
--- c/git-compat-util.h
+++ w/git-compat-util.h
@@ -401,13 +401,13 @@ static inline int git_offset_1st_component(const char *path)
#endif
/*
- * this helper function overrides a ROOT_UID with the one provided by
- * an environment variable, do not use unless the original user is
- * root
+ * The environment variable (e.g. SUDO_UID) gives an integer;
+ * is it the same as the given uid_t id?
*/
-static inline void extract_id_from_env(const char *env, uid_t *id)
+static inline int id_from_env_matches(const char *env, uid_t id)
{
const char *real_uid = getenv(env);
+ int matches = 0;
/* discard any empty values */
if (real_uid && *real_uid) {
@@ -417,11 +417,12 @@ static inline void extract_id_from_env(const char *env, uid_t *id)
errno = 0;
env_id = strtoul(real_uid, &endptr, 10);
- if (!errno && !*endptr && env_id <= (uid_t)-1)
- *id = env_id;
-
+ if (!errno && !*endptr && env_id <= (uid_t)-1 &&
+ (uid_t)env_id == id)
+ matches = 1;
errno = saved_errno;
}
+ return matches;
}
static inline int is_path_owned_by_current_uid(const char *path)
@@ -433,10 +434,11 @@ static inline int is_path_owned_by_current_uid(const char *path)
return 0;
euid = geteuid();
+ if (st.st_uid == euid)
+ return 1;
if (euid == ROOT_UID)
- extract_id_from_env("SUDO_UID", &euid);
-
- return st.st_uid == euid;
+ return id_from_env_matches("SUDO_UID", st.st_uid);
+ return 0;
}
#define is_path_owned_by_current_user is_path_owned_by_current_uid
next prev parent reply other threads:[~2022-04-28 5:17 UTC|newest]
Thread overview: 170+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 18:31 [RFC PATCH] git-compat-util: avoid failing dir ownership checks if running priviledged Carlo Marcelo Arenas Belón
2022-04-26 19:48 ` Derrick Stolee
2022-04-26 19:56 ` Junio C Hamano
2022-04-26 20:10 ` rsbecker
2022-04-26 20:45 ` Carlo Arenas
2022-04-26 21:10 ` Junio C Hamano
2022-04-26 20:12 ` Carlo Arenas
2022-04-26 20:26 ` Carlo Arenas
2022-04-29 16:16 ` Derrick Stolee
2022-04-27 0:05 ` [PATCH] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-04-27 9:33 ` Phillip Wood
2022-04-27 12:30 ` Phillip Wood
2022-04-27 14:15 ` rsbecker
2022-04-27 15:58 ` Carlo Arenas
2022-04-27 16:14 ` Phillip Wood
2022-04-27 18:54 ` Junio C Hamano
2022-04-27 20:59 ` Carlo Arenas
2022-04-27 21:09 ` rsbecker
2022-04-27 21:25 ` Junio C Hamano
2022-04-28 17:56 ` Phillip Wood
2022-04-27 15:38 ` Carlo Arenas
2022-04-27 15:50 ` rsbecker
2022-04-27 16:19 ` Junio C Hamano
2022-04-27 16:45 ` Carlo Arenas
2022-04-27 17:22 ` Phillip Wood
2022-04-27 17:49 ` rsbecker
2022-04-27 17:54 ` Carlo Arenas
2022-04-27 18:05 ` rsbecker
2022-04-27 18:11 ` Carlo Arenas
2022-04-27 18:16 ` rsbecker
2022-04-27 16:31 ` Phillip Wood
2022-04-27 16:54 ` Carlo Arenas
2022-04-27 17:28 ` Phillip Wood
2022-04-27 17:49 ` Carlo Arenas
2022-04-27 22:26 ` [RFC PATCH v2] " Carlo Marcelo Arenas Belón
2022-04-27 22:33 ` Junio C Hamano
2022-04-28 3:35 ` [PATCH 0/2] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-04-28 3:35 ` [PATCH 1/2] Documentation: explain how safe.directory works when running under sudo Carlo Marcelo Arenas Belón
2022-04-28 5:17 ` Junio C Hamano [this message]
2022-04-28 5:58 ` Carlo Arenas
2022-04-28 6:41 ` Junio C Hamano
2022-04-28 3:35 ` [PATCH 2/2] t: add tests for safe.directory when running with sudo Carlo Marcelo Arenas Belón
2022-04-28 5:34 ` Junio C Hamano
2022-04-28 4:57 ` [PATCH 0/2] fix `sudo make install` regression in maint Junio C Hamano
2022-04-28 10:58 ` [PATCH v2 0/3] " Carlo Marcelo Arenas Belón
2022-04-28 10:58 ` [PATCH v2 1/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-04-28 18:02 ` Phillip Wood
2022-04-28 18:57 ` Carlo Arenas
2022-04-28 10:58 ` [PATCH v2 2/3] Documentation: explain how safe.directory works when running under sudo Carlo Marcelo Arenas Belón
2022-04-30 6:17 ` Bagas Sanjaya
2022-04-30 6:39 ` Junio C Hamano
2022-04-30 14:15 ` Carlo Marcelo Arenas Belón
2022-04-28 10:58 ` [PATCH v2 3/3] t: add tests for safe.directory when running with sudo Carlo Marcelo Arenas Belón
2022-04-28 16:55 ` Junio C Hamano
2022-04-28 18:08 ` Phillip Wood
2022-04-28 18:12 ` Junio C Hamano
2022-05-06 17:50 ` Carlo Arenas
2022-05-06 21:43 ` Junio C Hamano
2022-05-06 22:57 ` Carlo Arenas
2022-05-06 23:55 ` Junio C Hamano
2022-05-07 11:57 ` Carlo Marcelo Arenas Belón
2022-04-28 19:53 ` rsbecker
2022-04-28 20:22 ` Carlo Arenas
2022-04-28 20:43 ` rsbecker
2022-04-28 20:51 ` Junio C Hamano
2022-04-28 20:56 ` Carlo Arenas
2022-04-28 21:55 ` rsbecker
2022-04-28 22:21 ` Junio C Hamano
2022-04-28 22:45 ` rsbecker
2022-04-28 20:46 ` Junio C Hamano
2022-04-28 20:32 ` Junio C Hamano
2022-04-28 20:40 ` rsbecker
2022-04-28 20:48 ` Carlo Arenas
2022-04-28 21:02 ` Carlo Arenas
2022-04-28 21:07 ` Junio C Hamano
2022-04-29 1:24 ` Carlo Marcelo Arenas Belón
2022-04-29 18:50 ` Junio C Hamano
2022-04-29 20:05 ` Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 1/3] t: document regression git safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-02 21:35 ` Junio C Hamano
2022-05-02 23:07 ` Carlo Arenas
2022-05-02 18:39 ` [RFC PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Carlo Marcelo Arenas Belón
2022-05-02 22:10 ` Junio C Hamano
2022-05-03 0:00 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-03 6:54 ` [PATCH v3 1/3] t: document regression git safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-03 14:03 ` Phillip Wood
2022-05-03 15:56 ` Carlo Marcelo Arenas Belón
2022-05-04 11:15 ` Phillip Wood
2022-05-04 13:02 ` Carlo Arenas
2022-05-04 14:11 ` Phillip Wood
2022-05-05 13:44 ` Johannes Schindelin
2022-05-05 14:34 ` Phillip Wood
2022-05-05 15:50 ` Junio C Hamano
2022-05-05 18:33 ` Junio C Hamano
2022-05-05 19:39 ` Junio C Hamano
2022-05-06 21:03 ` Carlo Arenas
2022-05-09 8:21 ` Phillip Wood
2022-05-09 14:51 ` Carlo Arenas
2022-05-09 15:18 ` Phillip Wood
2022-05-09 16:01 ` Junio C Hamano
2022-05-09 16:21 ` Carlo Arenas
2022-05-06 17:39 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-05 14:01 ` Johannes Schindelin
2022-05-05 14:32 ` Phillip Wood
2022-05-06 19:15 ` Carlo Arenas
2022-05-06 20:00 ` Junio C Hamano
2022-05-06 20:22 ` Carlo Arenas
2022-05-06 20:59 ` Junio C Hamano
2022-05-06 21:40 ` Carlo Arenas
2022-05-06 21:07 ` rsbecker
2022-05-05 16:09 ` Junio C Hamano
2022-05-06 20:02 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Carlo Marcelo Arenas Belón
2022-05-03 14:12 ` Phillip Wood
2022-05-03 15:27 ` Junio C Hamano
2022-05-06 16:54 ` Carlo Arenas
2022-05-07 16:35 ` [RFC PATCH v4 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-07 16:35 ` [RFC PATCH v4 1/3] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-07 16:35 ` [RFC PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-07 17:34 ` Junio C Hamano
2022-05-07 18:56 ` Carlo Marcelo Arenas Belón
2022-05-09 16:54 ` Junio C Hamano
2022-05-09 17:36 ` rsbecker
2022-05-09 18:48 ` Carlo Arenas
2022-05-09 19:16 ` rsbecker
2022-05-09 19:41 ` Junio C Hamano
2022-05-07 16:35 ` [RFC PATCH v4 3/3] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-10 14:17 ` [RFC PATCH v4 0/3] fix `sudo make install` regression in maint Phillip Wood
2022-05-10 15:47 ` Carlo Arenas
2022-05-10 17:46 ` [PATCH " Carlo Marcelo Arenas Belón
2022-05-10 17:46 ` [PATCH v4 1/3] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-10 22:10 ` Junio C Hamano
2022-05-10 23:11 ` Carlo Arenas
2022-05-10 23:44 ` Junio C Hamano
2022-05-11 0:56 ` Carlo Arenas
2022-05-11 1:11 ` Junio C Hamano
2022-05-10 17:46 ` [PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-10 22:57 ` Junio C Hamano
2022-05-11 7:34 ` Carlo Arenas
2022-05-11 14:58 ` Junio C Hamano
2022-05-10 17:46 ` [PATCH v4 3/3] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-10 23:11 ` Junio C Hamano
2022-05-10 23:25 ` Junio C Hamano
2022-05-11 14:04 ` Carlo Arenas
2022-05-11 15:29 ` Junio C Hamano
2022-05-13 1:00 ` [PATCH v5 0/4] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-13 1:00 ` [PATCH v5 1/4] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-06-03 12:12 ` SZEDER Gábor
2022-05-13 1:00 ` [PATCH v5 2/4] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-06-03 11:05 ` SZEDER Gábor
2022-06-03 16:54 ` Junio C Hamano
2022-06-03 17:34 ` SZEDER Gábor
2022-05-13 1:00 ` [PATCH v5 3/4] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-13 1:20 ` Junio C Hamano
2022-05-14 14:36 ` Carlo Arenas
2022-05-15 16:54 ` Junio C Hamano
2022-05-15 19:21 ` Carlo Arenas
2022-05-16 5:27 ` Junio C Hamano
2022-05-16 13:07 ` Carlo Marcelo Arenas Belón
2022-05-16 16:25 ` Junio C Hamano
2022-05-13 1:00 ` [PATCH v5 4/4] git-compat-util: allow root to access both SUDO_UID and root owned Carlo Marcelo Arenas Belón
2022-06-15 14:02 ` Johannes Schindelin
2022-06-17 14:26 ` Carlo Arenas
2022-06-17 16:00 ` Junio C Hamano
2022-06-17 20:23 ` [PATCH v6] " Carlo Marcelo Arenas Belón
2022-06-17 21:02 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqlevphjmg.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=carenas@gmail.com \
--cc=git@vger.kernel.org \
--cc=szeder.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).