From: Jeff King <peff@peff.net>
To: Stefan Beller <sbeller@google.com>
Cc: Junio C Hamano <gitster@pobox.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Eric Wong <e@80x24.org>, Dan Wang <dwwang@google.com>,
Dennis Kaarsemaker <dennis@kaarsemaker.net>
Subject: Re: [PATCH 2/4] receive-pack: implement advertising and receiving push options
Date: Thu, 7 Jul 2016 17:56:38 -0400 [thread overview]
Message-ID: <20160707215638.GA27627@sigill.intra.peff.net> (raw)
In-Reply-To: <CAGZ79kbkv5P0wP2kKt9gzmZBe1DjLSB8JpZD66DT_Xd4NKqmKQ@mail.gmail.com>
On Thu, Jul 07, 2016 at 02:41:37PM -0700, Stefan Beller wrote:
> >> + /* NEEDSWORK: expose the limitations to be configurable. */
> >> + int max_options = 32;
> >> +
> >> + /*
> >> + * NEEDSWORK: expose the limitations to be configurable;
> >> + * Once the limit can be lifted, include a way for payloads
> >> + * larger than one pkt, e.g allow a payload of up to
> >> + * LARGE_PACKET_MAX - 1 only, and reserve the last byte
> >> + * to indicate whether the next pkt continues with this
> >> + * push option.
> >> + */
> >> + int max_size = 1024;
> >
> > Good NEEDSWORK comments; perhaps also hint that the configuration
> > must not come from the repository level configuration file (i.e.
> > Peff's "scoped configuration" from jk/upload-pack-hook topic)?
>
> Ok, I reviewed that series. It is unclear to me how the attack would
> actually look like in that case.
>
> In 20b20a22f8f Jeff writes:
> > Because we promise that
> > upload-pack is safe to run in an untrusted repository, we
> > cannot execute arbitrary code or commands found in the
> > repository (neither in hooks/, nor in the config).
>
> I agree on this for all content that can be modified by the user
> (e.g. files in the work tree such as .gitmodules), but the .git/config
> file cannot be changed remotely. So I wonder how an attack would
> look like for a hosting provider or anyone else?
> We still rely on a sane system and trust /etc/gitconfig
> so we do trust the host/admin but not the user?
The problem is for hosting sites which serve repositories via git-daemon
from untrusted users who have real shell accounts (e.g., you set up
git-daemon to run as the "daemon" user serving repositories out of
people's home directories; you don't want users to escalate their shell
access into running arbitrary code as "daemon").
But I don't think that case applies here. That is about running
upload-pack on an untrusted repository, but your changes here are part
of receive-pack. In such a scenario, users should be pushing as
themselves via ssh. And if they are not (e.g., the admin set up
push-over-smart-http centrally), they are already screwed, as a
malicious user could just set up a pre-receive hook.
IOW, we promise only that upload-pack is safe to run an untrusted repo,
but not receive-pack.
-Peff
next prev parent reply other threads:[~2016-07-07 21:57 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 1:12 [PATCHv3 0/4] Push options in C Git Stefan Beller
2016-07-07 1:12 ` [PATCH 1/4] push options: {pre,post}-receive hook learns about push options Stefan Beller
2016-07-07 20:20 ` Junio C Hamano
2016-07-07 21:50 ` Stefan Beller
2016-07-07 21:53 ` Junio C Hamano
2016-07-07 1:12 ` [PATCH 2/4] receive-pack: implement advertising and receiving " Stefan Beller
2016-07-07 20:37 ` Junio C Hamano
2016-07-07 21:41 ` Stefan Beller
2016-07-07 21:56 ` Jeff King [this message]
2016-07-07 22:06 ` Stefan Beller
2016-07-07 22:09 ` Jeff King
2016-07-07 22:06 ` Junio C Hamano
2016-07-08 17:58 ` Jonathan Nieder
2016-07-08 18:39 ` Junio C Hamano
2016-07-08 18:57 ` Stefan Beller
2016-07-08 21:46 ` Jeff King
2016-07-08 22:17 ` Stefan Beller
2016-07-08 22:21 ` Jeff King
2016-07-08 22:29 ` Stefan Beller
2016-07-08 22:35 ` Jeff King
2016-07-08 22:43 ` Stefan Beller
2016-07-08 22:46 ` Jeff King
2016-07-08 22:51 ` Stefan Beller
2016-07-07 1:12 ` [PATCH 3/4] push: accept " Stefan Beller
2016-07-07 20:52 ` Junio C Hamano
2016-07-08 22:59 ` Stefan Beller
2016-07-11 18:42 ` Junio C Hamano
2016-07-07 1:12 ` [PATCH 4/4] add a test for " Stefan Beller
2016-07-07 19:51 ` Junio C Hamano
2016-07-07 20:01 ` Junio C Hamano
2016-07-07 21:51 ` Stefan Beller
-- strict thread matches above, loose matches on Subject: below --
2016-07-14 21:49 [PATCHv7 0/4] Push options Stefan Beller
2016-07-14 21:49 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-14 17:39 [PATCHv5 0/4] Push options Stefan Beller
2016-07-14 17:39 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-14 18:38 ` Junio C Hamano
2016-07-14 19:00 ` Stefan Beller
2016-07-14 19:07 ` Junio C Hamano
2016-07-14 19:45 ` Jeff King
2016-07-14 20:07 ` Junio C Hamano
2016-07-09 0:31 [PATCHv4 0/4] Push options Stefan Beller
2016-07-09 0:31 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-10 17:06 ` Shawn Pearce
2016-07-10 18:05 ` Stefan Beller
2016-07-12 4:53 ` Shawn Pearce
2016-07-12 5:24 ` Jeff King
2016-06-30 0:59 [RFC PATCHv1 0/4] Push options in C Git Stefan Beller
2016-06-30 0:59 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-01 17:11 ` Junio C Hamano
2016-07-01 17:24 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160707215638.GA27627@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=dennis@kaarsemaker.net \
--cc=dwwang@google.com \
--cc=e@80x24.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).