From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id B64DE1F4D7 for ; Tue, 26 Apr 2022 20:11:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354686AbiDZUO1 convert rfc822-to-8bit (ORCPT ); Tue, 26 Apr 2022 16:14:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354808AbiDZUOD (ORCPT ); Tue, 26 Apr 2022 16:14:03 -0400 Received: from elephants.elehost.com (elephants.elehost.com [216.66.27.132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3B3712099 for ; Tue, 26 Apr 2022 13:10:46 -0700 (PDT) Received: from Mazikeen (cpe00fc8d49d843-cm00fc8d49d840.cpe.net.cable.rogers.com [174.119.96.21] (may be forged)) (authenticated bits=0) by elephants.elehost.com (8.16.1/8.16.1) with ESMTPSA id 23QKAjir080047 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 26 Apr 2022 16:10:45 -0400 (EDT) (envelope-from rsbecker@nexbridge.com) Reply-To: From: To: "'Junio C Hamano'" , "'Derrick Stolee'" Cc: "=?UTF-8?Q?'Carlo_Marcelo_Arenas_Bel=C3=B3n'?=" , , , , "'Guy Maurel'" , "=?UTF-8?Q?'SZEDER_G=C3=A1bor'?=" , "'Johannes Schindelin'" References: <20220426183105.99779-1-carenas@gmail.com> <9658dea7-d421-b238-113d-c7b83eca4569@github.com> In-Reply-To: Subject: RE: [RFC PATCH] git-compat-util: avoid failing dir ownership checks if running priviledged Date: Tue, 26 Apr 2022 16:10:40 -0400 Organization: Nexbridge Inc. Message-ID: <04bb01d859a9$b759cb50$260d61f0$@nexbridge.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKW87AjxA2cdMBJpUJ6sUXK7KFdYwLolO0XAcgZoLarX+Ws8A== Content-Language: en-ca Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On April 26, 2022 3:56 PM, Junio C Hamano wrote: >Subject: Re: [RFC PATCH] git-compat-util: avoid failing dir ownership checks if >running priviledged > >Derrick Stolee writes: > >>> Original discussion in : >>> >>> >>> https://lore.kernel.org/git/4ef9287b-6260-9538-7c89-cffb611520ee@maur >>> el.de/ >> >> I agree that the idea behind this change is a good one. The escalation >> of privilege isn't a huge concern when the "real" user is the same. >> The only way to trick the root user here is to set an environment >> variable, in which case they might as well modify PATH and be done >> with it. > >How much do we really want to trust SUDO_UID or DOSA_UID are telling the >truth, though? > >>> + euid = geteuid(); >>> + if (euid == ROOT_UID) { >>> + /* we might have raised our priviledges with sudo or doas */ >> >> Similar spelling error here. >> >>> + const char *real_uid = getenv("SUDO_UID"); >>> + if (real_uid && *real_uid) >>> + euid = atoi(real_uid); >>> + else { >>> + real_uid = getenv("DOAS_UID"); >>> + if (real_uid && *real_uid) >>> + euid = atoi(real_uid); This should be strtol() instead of atoi(). Putting garbage into DOAS_UID might end up causing some unwanted effects since atoi() could then return 0 or some partial value. The result should also be checked for sanity and the end pointer should point to a '\0'. My team has effectively banned the use of atoi() in new code and is migrating to strtol() or strtoll() as code is touched. >>> + } >> >> I imagine that something else could be added here to help Windows >> users who have elevated to administrator privileges. It will use a >> completely different mechanism, though, if needed at all. We can delay >> that for now. >> >> Thanks, >> -Stolee