From: Junio C Hamano <gitster@pobox.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: git@vger.kernel.org, Joey Hess <id@joeyh.name>
Subject: Re: [PATCH 00/12] Fix various overly aggressive protections in 2.45.1 and friends
Date: Wed, 22 May 2024 22:49:55 -0700 [thread overview]
Message-ID: <xmqqv835xekc.fsf@gitster.g> (raw)
In-Reply-To: <Zk3ChIHr5amGh8Mt@kitenet.net> (Joey Hess's message of "Wed, 22 May 2024 06:01:40 -0400")
Joey Hess <id@joeyh.name> writes:
> Junio C Hamano wrote:
>> As people have seen, the latest "security fix" release turned out to
>> be a mixed bag of good vulnerability fixes with a bit over-eager
>> "layered defence" that broke real uses cases like git-lfs.
>
> "fsck: warn about symlink pointing inside a gitdir"
> (a33fea0886cfa016d313d2bd66bdd08615bffbc9) also broke pushing git-annex
> repositories to eg Gitlab and has several other problems including dodgy
> PATH_MAX checks that cause new OS interoperability problems. (I posted
> details to an earlier thread but have now found this current one, oops.)
>
> Please also revert it, or at least the portions for
> and symlinkPointsToGitDir and symlinkTargetLength. The
> checks for symlinkTargetBlob and symlinkTargetMissing seem worth
> keeping.
Looking at the change in question, in a33fea08 (fsck: warn about
symlink pointing inside a gitdir, 2024-04-10), you said:
> fsck: warn about symlink pointing inside a gitdir
>
> In the wake of fixing a vulnerability where `git clone` mistakenly
> followed a symbolic link that it had just written while checking out
> files, writing into a gitdir, let's add some defense-in-depth by
> teaching `git fsck` to report symbolic links stored in its trees that
> point inside `.git/`.
>
> Even though the Git project never made any promises about the exact
> shape of the `.git/` directory's contents, there are likely repositories
> out there containing symbolic links that point inside the gitdir. For
> that reason, let's only report these as warnings, not as errors.
> Security-conscious users are encouraged to configure
> `fsck.symlinkPointsToGitDir = error`.
>
> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
I can make a few observations (in addition to what Joey already
observed in the code around PATH_MAX, etc. [*]):
- Yes, if git-annex wants to keep its private data in a private
directory .git/annex/objects it carved out for itself and want to
point at them from the working tree with symbolic links, the
extra check would trigger as fsck would see the symbolic link
contents pointing into the .git/ directory, so certainly they
would be affected.
- The extra check seems to have meant to target the symbolic links
that point at objects, refs, config, and anything _we_ care
about, as opposed to random garbage (from _our_ point of view)
files third-parties throw into .git/ directory. Would it have
made a better trade-off if we tried to make the check more
precise, only complaining about the things we care about (in
other words, what _we_ use), or will it become too brittle
because what we care about will change over time?
- In any case, if it is merely warnings, not errors, these checks
can be configured out. Wouldn't that be an escape-hatch enough?
So, I am ambivalent. I have prepared a revert queued on maint-2.39
and cascaded it up to the maintenance track, which I tentatively
queued on top of 'seen', to see how much damage such a reversion
involves (and it did not look too bad), but
(1) I am not sure if this is such a huge deal that requires a
revert;
(2) I am not sure which one is more practical between ripping
everything out and demoting these new fsck error types with
FSCK_WARN to FSCK_IGNORE. If the structure of the code to
perform these checks is more or less good and the actual check
the code implements is bad, the latter might give us a better
foundation to build on than rebuilding everything from scratch.
On the other hand, if we are redoing things in the open, it may
be better to forget about the code in 2.45.1/2.39.4 and to build
from scratch for those reviewers and developers who will offer
help.
(3) As I look at the change by a33fea08 again, it actually adds a
few new fsck error types with FSCK_ERROR. Perhaps that is a
good enough reason to do a straight revert for now?
Thanks. It is past my bedtime so I won't be pushing out the 'seen'
with the revert I prepared as a practice, at least tonight.
[Reference]
* https://lore.kernel.org/git/Zk2_mJpE7tJgqxSp@kitenet.net/
next prev parent reply other threads:[~2024-05-23 5:50 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-21 19:56 [PATCH 00/12] Fix various overly aggressive protections in 2.45.1 and friends Junio C Hamano
2024-05-21 19:56 ` [PATCH 01/12] send-email: drop FakeTerm hack Junio C Hamano
2024-05-22 8:19 ` Dragan Simic
2024-05-21 19:56 ` [PATCH 02/12] send-email: avoid creating more than one Term::ReadLine object Junio C Hamano
2024-05-22 8:15 ` Dragan Simic
2024-05-21 19:56 ` [PATCH 03/12] ci: drop mention of BREW_INSTALL_PACKAGES variable Junio C Hamano
2024-05-21 19:56 ` [PATCH 04/12] ci: avoid bare "gcc" for osx-gcc job Junio C Hamano
2024-05-21 19:56 ` [PATCH 05/12] ci: stop installing "gcc-13" for osx-gcc Junio C Hamano
2024-05-21 19:56 ` [PATCH 06/12] hook: plug a new memory leak Junio C Hamano
2024-05-21 19:56 ` [PATCH 07/12] init: use the correct path of the templates directory again Junio C Hamano
2024-05-21 19:56 ` [PATCH 08/12] Revert "core.hooksPath: add some protection while cloning" Junio C Hamano
2024-05-21 19:56 ` [PATCH 09/12] tests: verify that `clone -c core.hooksPath=/dev/null` works again Junio C Hamano
2024-05-21 22:57 ` Brooke Kuhlmann
2024-05-21 19:56 ` [PATCH 10/12] clone: drop the protections where hooks aren't run Junio C Hamano
2024-05-21 19:56 ` [PATCH 11/12] Revert "Add a helper function to compare file contents" Junio C Hamano
2024-05-21 19:56 ` [PATCH 12/12] Revert "fetch/clone: detect dubious ownership of local repositories" Junio C Hamano
2024-05-21 20:43 ` Junio C Hamano
2024-05-22 7:27 ` Johannes Schindelin
2024-05-22 17:20 ` Junio C Hamano
2024-05-21 20:45 ` [rPATCH 13/12] Merge branch 'jc/fix-aggressive-protection-2.39' Junio C Hamano
2024-05-23 10:36 ` Reviewing merge commits, was " Johannes Schindelin
2024-05-23 14:41 ` Junio C Hamano
2024-05-21 20:45 ` [rPATCH 14/12] Merge branch 'jc/fix-aggressive-protection-2.40' Junio C Hamano
2024-05-21 21:33 ` Junio C Hamano
2024-05-21 21:14 ` [PATCH 00/12] Fix various overly aggressive protections in 2.45.1 and friends Johannes Schindelin
2024-05-21 21:46 ` Junio C Hamano
2024-05-21 22:13 ` Junio C Hamano
2024-05-22 10:01 ` Joey Hess
2024-05-23 5:49 ` Junio C Hamano [this message]
2024-05-23 16:31 ` Joey Hess
2024-05-27 19:51 ` Johannes Schindelin
2024-05-28 2:25 ` Joey Hess
2024-05-28 15:02 ` Phillip Wood
2024-05-28 16:13 ` Junio C Hamano
2024-05-28 17:47 ` Junio C Hamano
2024-05-23 23:32 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqv835xekc.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=id@joeyh.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).