Question: Setting the Email Address in ~/.gitconfig

git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed

* Question: Setting the Email Address in ~/.gitconfig
@ 2020-06-11 21:25 Shreya Malviya
  2020-06-11 22:52 ` brian m. carlson
  0 siblings, 1 reply; 3+ messages in thread
From: Shreya Malviya @ 2020-06-11 21:25 UTC (permalink / raw)
  To: git

Hi!

I was playing around with git when I realized that it's possible for
me to commit something to a repository as another user (explained a
scenario below for a better understanding of what I mean) and it is
not considered a security vulnerability, understandably so
(https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address).

For example, let's assume I have push access to some repository called
AAA, and my email address is abc@xyz.com. I can simply edit
~/.gitconfig on my system and set the email address as some other
person's email address: def@pqr.com. Then, I make some changes in my
local repository and commit them (reminder: it's with the email
address def@pqr.com since git tracks commits by email address). Now,
if I try to push to the remote repository, it asks for the username
and password. I put mine and since I have push access to AAA, it goes
through. I've successfully pushed commits on behalf of the owner of
the email address: def@pqr.com.

So basically, in this way, I can impersonate people and add commits on
their behalf. BUT AGAIN, this is not considered a vulnerability (link
for reason attached before).

My question:
It would be much easier if git didn't allow changing the email address
so easily. Why hasn't git implemented OAuth, or something of that
sort, for every time that the email address is changed in
~/.gitconfig, yet?

Shreya Malviya

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Question: Setting the Email Address in ~/.gitconfig
  2020-06-11 21:25 Question: Setting the Email Address in ~/.gitconfig Shreya Malviya
@ 2020-06-11 22:52 ` brian m. carlson
  2020-06-13  0:16   ` Aaron Schrab
  0 siblings, 1 reply; 3+ messages in thread
From: brian m. carlson @ 2020-06-11 22:52 UTC (permalink / raw)
  To: Shreya Malviya; +Cc: git

[-- Attachment #1: Type: text/plain, Size: 2854 bytes --]

On 2020-06-11 at 21:25:45, Shreya Malviya wrote:
> Hi!
> 
> 
> I was playing around with git when I realized that it's possible for
> me to commit something to a repository as another user (explained a
> scenario below for a better understanding of what I mean) and it is
> not considered a security vulnerability, understandably so
> (https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address).

This is GitHub's bug bounty policy, not Git's, but it is definitely an
intended feature in Git and not a bug.  I should point out that they are
separate and independent.

> For example, let's assume I have push access to some repository called
> AAA, and my email address is abc@xyz.com. I can simply edit
> ~/.gitconfig on my system and set the email address as some other
> person's email address: def@pqr.com. Then, I make some changes in my
> local repository and commit them (reminder: it's with the email
> address def@pqr.com since git tracks commits by email address). Now,
> if I try to push to the remote repository, it asks for the username
> and password. I put mine and since I have push access to AAA, it goes
> through. I've successfully pushed commits on behalf of the owner of
> the email address: def@pqr.com.
> 
> So basically, in this way, I can impersonate people and add commits on
> their behalf. BUT AGAIN, this is not considered a vulnerability (link
> for reason attached before).

In the Git project, users send patches to a mailing list and those
patches are applied by a maintainer.  When the maintainer applies them,
they contain the user's identification and therefore are attributed to
that user as the author.  This is a common workflow in patch-based
projects.

Disallowing people from pushing commits that contain another email
address would prevent the maintainer from pushing commits authored by
others, so Git doesn't do that, although it can be configured with push
certificates and a hook if you like.

If you are asking why GitHub attributes commits based on email, you'd
have to ask them.  However, be aware that there are projects that are
concerned about commit spoofing, especially corporate projects in
regulated industries, and the way to handle that is to use and require
commit signing.

> My question:
> It would be much easier if git didn't allow changing the email address
> so easily. Why hasn't git implemented OAuth, or something of that
> sort, for every time that the email address is changed in
> ~/.gitconfig, yet?

This is a local configuration file, so asking someone to implement OAuth
to change a local configuration file wouldn't be helpful.  Many Git
servers are, for example, SSH only, and so OAuth isn't even a
possibility.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Question: Setting the Email Address in ~/.gitconfig
  2020-06-11 22:52 ` brian m. carlson
@ 2020-06-13  0:16   ` Aaron Schrab
  0 siblings, 0 replies; 3+ messages in thread
From: Aaron Schrab @ 2020-06-13  0:16 UTC (permalink / raw)
  To: brian m. carlson, Shreya Malviya, git

[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]

At 22:52 +0000 11 Jun 2020, "brian m. carlson" <sandals@crustytoothpaste.net> wrote:
>On 2020-06-11 at 21:25:45, Shreya Malviya wrote:
>> My question:
>> It would be much easier if git didn't allow changing the email address
>> so easily. Why hasn't git implemented OAuth, or something of that
>> sort, for every time that the email address is changed in
>> ~/.gitconfig, yet?
>
>This is a local configuration file, so asking someone to implement OAuth
>to change a local configuration file wouldn't be helpful.  Many Git
>servers are, for example, SSH only, and so OAuth isn't even a
>possibility.

Beyond that, even if git *did* somehow provide strong authentication of 
the configured email address for commits, it's open source software so 
people could still quite easily disable that authentication to spoof 
commits as other people. They could also use some other software 
(possibly that they write themselves) that manipulates a repository 
without doing that authentication.

While the data is entirely on an untrusted system (however you want to 
define trusted), the operator of that system will always be able to 
manipulate that data.

The alternative to this would be to require all commits to be 
cryptographically signed. But, most projects consider that to be too 
much of a burden. After all that only covers who made the changes, while 
for many things the content of the changes is much more important.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 898 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-06-13  0:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-11 21:25 Question: Setting the Email Address in ~/.gitconfig Shreya Malviya
2020-06-11 22:52 ` brian m. carlson
2020-06-13  0:16   ` Aaron Schrab

Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).