Re: Local git server can't serve https until repos owned by http, can't serve ssh unless repos owned by user after 2.45.1

[Junio C Hamano <gitster@pobox.com>]

Dscho, the f4aa8c8b (fetch/clone: detect dubious ownership of local
repositories, 2024-04-10) is your brainchild and people seem to be
unhappy about having to adjust their settings.  Are there any advice
you can offer them?

Michal Suchánek <msuchanek@suse.de> writes:

> On Mon, Jun 17, 2024 at 11:15:13PM +0200, Michal Suchánek wrote:
>> Hello,
>> 
>> On Mon, Jun 17, 2024 at 11:47:20AM -0700, Junio C Hamano wrote:
>> > "David C. Rankin" <drankinatty@gmail.com> writes:
>> > 
>> > >   Security enhancement in 2.45.1 have broken ability to serve git over
>> > >   https and ssh from local git server running Apache. (web server runs
>> > >   as http:http on Archlinux)
>> > >
>> > >   The fix of adding the following to gitconfig (system-wide and
>> > >   per-user in ~/.gitconfig) does not solve the problem:
>> > >
>> > > [safe]
>> > > 	directory = *
>> > 
>> > It is not clear what you exactly meant "per-user" above, so just to
>> > make sure.  Is this set in the global configuration file for the
>> > httpd (or whoever Apache runs as) user?
>> > 
>> > The purpose of "dubious ownershop" thing is to protect the user who
>> > runs Git from random repositories' with potentially malicious hooks
>> > and configuration files, so the user being protected (in this case,
>> > whoever Apache runs as) needs to declare "I trust these
>> > repositories" in its ~/.gitconfig file.  What individual owners of
>> > /srv/my-repo.git/ project has in their ~/.gitconfig file does not
>> > matter when deciding if Apache trusts these repositories.
>> 
>> 
>> looks like the semantic of 'dubious ownershop' changed recently.
>> 
>> Disro backport of fixes for CVE-2024-32002 CVE-2024-32004 CVE-2024-32020
>> CVE-2024-32021 CVE-2024-32465 to 2.35.3 broke git-daemon. No amount of
>> whitelisting makes the 'fixed' git serve the repository.
>
> Same regression between 2.45.0 and 2.45.2 which allegedly fixes the
> same CVEs.
>
> Looks like downgrading to gaping hole version is needed to serve repositories
> in general.
>
> Please consider adjusting the fix so that repositories can still be served.
>
> Thanks
>
> Michal
>
> To reproduce:
>
> cat /usr/local/bin/git-ping
> #!/bin/sh -e
>
> # Try connecting to one or more remote repository URLs
>
> while true ; do
>         git ls-remote -h "$1" >/dev/null
>         shift
>         [ -n "$1" ] || break
> done
>
> mkdir -p /srv/git/some
> chown hramrach /srv/git/some
> su hramrach -c "git init --bare /srv/git/some/repo.git"
> su hramrach -c "touch /srv/git/some/repo.git/git-daemon-export-ok"
> version=2.35.3-150300.10.36.1 ; zypper in --oldpackage git-core-$version git-daemon-$version
> systemctl start git-daemon.service
> git ping git://localhost/some/repo.git
> <nothing>
>
> version=2.35.3-150300.10.39.1 ; zypper in --oldpackage git-core-$version git-daemon-$version
> systemctl restart git-daemon.service
> git ping git://localhost/some/repo.git
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
>
>
> systemctl status git-daemon.service
> ● git-daemon.service - Git Daemon
>      Loaded: loaded (/usr/lib/systemd/system/git-daemon.service; disabled; vendor preset: disabled)
>      Active: active (running) since Thu 2024-06-06 08:29:28 CEST; 6min ago
>    Main PID: 31742 (git)
>       Tasks: 2 (limit: 4915)
>      CGroup: /system.slice/git-daemon.service
>              ├─ 31742 git daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup
>              └─ 31749 /usr/lib/git/git-daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup
>
> Jun 06 08:29:28 localhost.localdomain systemd[1]: Started Git Daemon.
> Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: fatal: detected dubious ownership in repository at '/srv/git//some/repo.git'
> Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: To add an exception for this directory, call:
> Jun 06 08:29:39 localhost.localdomain git-daemon[31756]:         git config --global --add safe.directory /srv/git//some/repo.git
>
> git config --global --add safe.directory /srv/git//some/repo.git
> mv ~/.gitconfig /etc/gitconfig
> git ping git://localhost/some/repo.git
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.
>
> git config --global --add safe.directory /srv/git/some/repo.git
> mv ~/.gitconfig /etc/gitconfig
> git ping git://localhost/some/repo.git
> fatal: Could not read from remote repository.
>
> Please make sure you have the correct access rights
> and the repository exists.