From: Julian Brost <julian@0x4a42.net>
To: git@vger.kernel.org
Subject: Trust issues with hooks and config files
Date: Thu, 06 Mar 2014 22:47:43 +0100 [thread overview]
Message-ID: <5318ECFF.40908@0x4a42.net> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I've noticed some behavior of git that might lead to some security
issues if the user is not aware of this.
Assume we have an evil user on a system, let's call him eve. He
prepares a repository where he allows other user to push changes to.
If he now adds a post-receive hook, git will happly execute it as
whatever user pushes to this repository:
root@argon /tmp/git-eve # ls -l /tmp/git-eve/hooks/post-receive
-rwxr-xr-x 1 eve users [...] /tmp/git-eve/hooks/post-receive
root@argon /tmp/git-root # cat /tmp/git-eve/hooks/post-receive
#!/bin/sh
id
root@argon /tmp/git-root # git push /tmp/git-eve master
Counting objects: 3, done.
Writing objects: 100% (3/3), 185 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: uid=0(root) gid=0(root) groups=0(root),[...]
To /tmp/git-eve
* [new branch] master -> master
Something similiar might happen if eve adds some alias to the config
file in the repository and grants any other user read access to the
repository. These aliases will be executed when some other user is
running any git command in this repository. Even though git does not
allow defining aliases for existing commands, you might mistype
something, so adding an alias for "lg" instead of "log" might succeed:
root@argon /tmp/git-eve # ls -l /tmp/git-eve/config
-rw-r--r-- 1 eve users [...] /tmp/git-eve/config
root@argon /tmp/git-eve # cat config
[core]
repositoryformatversion = 0
filemode = true
bare = true
[alias]
lg = !id
root@argon /tmp/git-eve # git lg
uid=0(root) gid=0(root) groups=0(root),[...]
This gets even worse if you know something about the aliases your
victim uses, so for example you can override an alias 'l = log'
defined in the user's config with something malicious in the
repository config file.
I'd suggest taking a similar approach as Mercurial [1], i.e. ignoring
configuration files and hooks owned by another user unless the owner
is explicitly trusted.
Regards,
Julian
[1] http://mercurial.selenic.com/wiki/Trust
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJTGOz5AAoJECLcYT6QIdBtJLEP/1VPMyRws5IYOVXJDcLukxkh
87RuL6ZCXE9v66VgEmTYYtJx1Umy18YXCx+ufAuJL2xzo/QH/QhWl/npa+U3ac7D
2A/3rXt1PvdzoQeT3514t5ntO9WyquHE2N8Ix+xdxwFo/T+Ve+nDV8/hra9he1Nb
zdldBccyHBDQdEudBLs6tDoJU9fvQ4TAGCGw7CXHCDV4hhyXHt8Nyf9nNOWxXgYh
5QcDs0sj1MCFm5AdN1SOU7FobiwS//Q8QdKdr9O6L18IoUPnSw2a1S2hGJmwQ/IL
Y1nQMdFuSx+4n6KKgUBtlo4WTi38u98FG4N0MXqZOSX7SKDVEOYfF+1W31Trhtuw
KMtojlwBYXsq0CWrW1OQ4Oed91lDGBtLLzF8MSCN1NoG4+Eb/V+RueLzulC5lWU/
IpDr3d14vFBEydHzYY+35P57Rf2Fl5HkXLQzQ0UmROeAmhUVCnduRj4dn35nb47Z
G/73UdgX1FMB4lOD8kD9KX0Sov3XLz4n5u706h+lElapd24wBXlaysWVpsmImuW0
xPLSpX0Dfrtj0sOCvqM0oX40z3bCJ1ibqZOmPGwF0P66DJOOq9sqDYfHlgnvt/qU
pCqsy0+FyCUuGP17UliEWcFAfdzXrUhxkRneQXC8ieX8YSoP4OtjzIPHrsc54s/2
7VR0wCTxaHvd05T8WruK
=kc4p
-----END PGP SIGNATURE-----
next reply other threads:[~2014-03-06 21:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-06 21:47 Julian Brost [this message]
2014-03-07 21:04 ` Trust issues with hooks and config files Jeff King
2014-03-09 17:27 ` Julian Brost
2014-03-10 15:18 ` Junio C Hamano
2014-03-16 13:45 ` Sitaram Chamarty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5318ECFF.40908@0x4a42.net \
--to=julian@0x4a42.net \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).