git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Jeff Hostetler <git@jeffhostetler.com>
To: Christian Hesse <mail@eworm.de>, Junio C Hamano <gitster@pobox.com>
Cc: Git Mailing List <git@vger.kernel.org>,
	Jeff Hostetler <jeffhost@microsoft.com>,
	"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: cgit and global configuration
Date: Tue, 11 Jun 2019 16:22:32 -0400	[thread overview]
Message-ID: <1cdb3444-fb39-66a4-fb27-01e1617e538a@jeffhostetler.com> (raw)
In-Reply-To: <20190611170401.15d43623@leda>



On 6/11/2019 11:04 AM, Christian Hesse wrote:
> Dear Jeff, dear Junio,
> 
> for cgit we use the static git library built into the executable. This used
> to work well, but breaks with latest release v2.22.0: Our code unsets HOME
> and XDG_CONFIG_HOME to mitigate loading arbitrary configuration.
> We have tests that use strace to check for access to directories given by
> environment variables.
> 
> With the new trace2 code in place at least tracing configuration is loaded
> before cmd_main() kicks in. This happens in trace2_initialize_fl() ->
> tr2_sysenv_load() -> read_very_early_config(). The offending commit is
> bce9db6d ("trace2: use system/global config for default trace2 settings") [0].
> 
> I had thought about adding a new option to struct config_options and making
> xdg_config_home() and expand_user_path() conditional in
> do_git_config_sequence() when called from read_very_early_config(). However
> this breaks the test suite as ptrace2 tests with global configuration depend
> on HOME being set to a trash directory. Any hint about how to properly solve
> this?
> Or can we be sure configuration read at this point can not do any harm and
> updating out tests is sufficient? I guess no as file paths can be specified.
> 
> [0] https://github.com/git/git/commit/bce9db6de97c95882a7c46836bb6cc90acf0fef0
> 

I'm not sure I fully understand the problem here, so let me
ask a few questions.

If you're using the static git library (by that I assume you
mean libgit.a) and the call to trace2_initialize_fl() is in
main() in common-main.c, how it is getting called?  Don't you
have your own main()?

     Looking at your source in `https://git.zx2c4.com/cgit/tree/cgit.c`
     it looks like you're defining a cmd_main() and using the rest of
     Git's Makefile, so I'm guessing you're getting common-main.c too.

I'm curious why a call to read_very_early_config() before cmd_main()
causes problems.

     Again, in `https://git.zx2c4.com/cgit/tree/cgit.c` I found
     the code in prepare_repo_env() where you unset the various
     HOME variables.  And that is called during your cmd_main()
     sequence.  That would explain why my read_very_early_config()
     causes you problems that a call to read_early_config() inside
     your cmd_main() does not.

     I'm not sure I understand the reasons for the unsets and the
     need for the strace guards, but that is not my business, so
     I'll just trust that you have your reasons.  And I have to
     assume that you have security concerns that supersede the
     need to do any tracing or advanced logging.

Adding a new bit to `struct config_options` doesn't really help
because you don't know when (or even have an opportunity) to set
it.  You've abdicated main() to common code and so your application
doesn't start until cmd_main() is called.

     And you can't really have an environment or config variable
     to say to ignore mine, because they'd be just as vulnerable.

     I'm not sure what you meant by a `ptrace2` test -- unless
     that is just a typo and that you meant the t/t021*.sh tests.
     And yes, these tests do test the global config setting.

As for going forward, I see 3 options:

[1] update your tests to allow this.  (I didn't dig thru your
     tests to see how extensive this might be.)

[2] define your own version of common-main.c and link with it
     instead of git/common-main.c and delete the calls to trace2_*()
     in it.

[3] define your own version of common-main.c and then call your
     prepare_repo_env() prior to trace2_initialize().

Granted, I've only spent 15 minutes looking at your code, so
I may be mistaken about several things, but I think those are
your options.

Hope this helps,
Jeff

  parent reply	other threads:[~2019-06-11 20:22 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-11 15:04 cgit and global configuration Christian Hesse
2019-06-11 19:55 ` Junio C Hamano
2019-06-11 20:22 ` Jeff Hostetler [this message]
2019-06-12 19:08   ` Jeff King
2019-10-25 16:10     ` Christian Hesse
2019-10-25 21:24       ` Jeff King

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1cdb3444-fb39-66a4-fb27-01e1617e538a@jeffhostetler.com \
    --to=git@jeffhostetler.com \
    --cc=Jason@zx2c4.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=jeffhost@microsoft.com \
    --cc=mail@eworm.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).