[PATCH 0/2] Don't make $GIT_DIR executable

[PATCH 0/2] Don't make $GIT_DIR executable

[Michael Haggerty]

Starting with v2.1.0, "git init" creates $GIT_DIR/config with its u+x
bit set. These two patches are "belt and suspenders"--either one would
fix the bug, but IMO it makes sense to apply both of them. Plus, the
second patch will help repair repositories that were created while
this bug was in the wild.

I think these patches should go into "maint". They apply cleanly
there. When merging forward to master, there are two conflicts in
config.c which can be resolved by

    s/lock->filename/lock->filename.buf/

in two places.

Michael Haggerty (2):
  create_default_files(): don't set u+x bit on $GIT_DIR/config
  config: clear the executable bits (if any) on $GIT_DIR/config

 builtin/init-db.c |  1 +
 config.c          | 12 ++++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

-- 
2.1.1

[PATCH 1/2] create_default_files(): don't set u+x bit on $GIT_DIR/config

[Michael Haggerty]

Since time immemorial, the test of whether to set "core.filemode" has
been done by trying to toggle the u+x bit on $GIT_DIR/config and then
testing whether the change "took". It is somewhat odd to use the
config file for this test, but whatever.

The test code didn't set the u+x bit back to its original state
itself, instead relying on the subsequent call to git_config_set() to
re-write the config file with correct permissions.

But ever since

    daa22c6f8d config: preserve config file permissions on edits (2014-05-06)

git_config_set() copies the permissions from the old config file to
the new one. This is a good change in and of itself, but it interacts
badly with create_default_files()'s sloppiness, causing "git init" to
leave the executable bit set on $GIT_DIR/config.

So change create_default_files() to reset the permissions on
$GIT_DIR/config after its test.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 builtin/init-db.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/builtin/init-db.c b/builtin/init-db.c
index 56f85e2..95ca5e4 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -255,6 +255,7 @@ static int create_default_files(const char *template_path)
 		filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
 				!lstat(path, &st2) &&
 				st1.st_mode != st2.st_mode);
+		chmod(path, st1.st_mode);
 	}
 	git_config_set("core.filemode", filemode ? "true" : "false");
 
-- 
2.1.1

[PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Michael Haggerty]

There is no reason for $GIT_DIR/config to be executable, plus this
change will help clean up repositories affected by the bug that was
fixed by the previous commit.

Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
 config.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/config.c b/config.c
index 9e42d38..0942e5f 100644
--- a/config.c
+++ b/config.c
@@ -1653,7 +1653,15 @@ int git_config_set_multivar_in_file(const char *config_filename,
 			MAP_PRIVATE, in_fd, 0);
 		close(in_fd);
 
-		if (chmod(lock->filename, st.st_mode & 07777) < 0) {
+		/*
+		 * We make of the executable bits because (a) it
+		 * doesn't make sense to have executable bits set on
+		 * the config file, and (b) there was a bug in git 2.1
+		 * which caused the config file to be created with u+x
+		 * set, so this will help repair repositories created
+		 * with that version.
+		 */
+		if (chmod(lock->filename, st.st_mode & 07666) < 0) {
 			error("chmod on %s failed: %s",
 				lock->filename, strerror(errno));
 			ret = CONFIG_NO_WRITE;
@@ -1832,7 +1840,7 @@ int git_config_rename_section_in_file(const char *config_filename,
 
 	fstat(fileno(config_file), &st);
 
-	if (chmod(lock->filename, st.st_mode & 07777) < 0) {
+	if (chmod(lock->filename, st.st_mode & 07666) < 0) {
 		ret = error("chmod on %s failed: %s",
 				lock->filename, strerror(errno));
 		goto out;
-- 
2.1.1

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Stefan Beller]

On 14.11.2014 23:26, Michael Haggerty wrote:
> There is no reason for $GIT_DIR/config to be executable, plus this
> change will help clean up repositories affected by the bug that was
> fixed by the previous commit.
> 
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  config.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/config.c b/config.c
> index 9e42d38..0942e5f 100644
> --- a/config.c
> +++ b/config.c
> @@ -1653,7 +1653,15 @@ int git_config_set_multivar_in_file(const char *config_filename,
>  			MAP_PRIVATE, in_fd, 0);
>  		close(in_fd);
>  
> -		if (chmod(lock->filename, st.st_mode & 07777) < 0) {
> +		/*
> +		 * We make of the executable bits because (a) it

We make *use* of

> +		 * doesn't make sense to have executable bits set on
> +		 * the config file, and (b) there was a bug in git 2.1
> +		 * which caused the config file to be created with u+x
> +		 * set, so this will help repair repositories created
> +		 * with that version.
> +		 */
> +		if (chmod(lock->filename, st.st_mode & 07666) < 0) {
>  			error("chmod on %s failed: %s",
>  				lock->filename, strerror(errno));
>  			ret = CONFIG_NO_WRITE;
> @@ -1832,7 +1840,7 @@ int git_config_rename_section_in_file(const char *config_filename,
>  
>  	fstat(fileno(config_file), &st);
>  
> -	if (chmod(lock->filename, st.st_mode & 07777) < 0) {
> +	if (chmod(lock->filename, st.st_mode & 07666) < 0) {
>  		ret = error("chmod on %s failed: %s",
>  				lock->filename, strerror(errno));
>  		goto out;
> 

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Michael Haggerty]

On 11/15/2014 08:32 AM, Stefan Beller wrote:
> On 14.11.2014 23:26, Michael Haggerty wrote:
>> There is no reason for $GIT_DIR/config to be executable, plus this
>> change will help clean up repositories affected by the bug that was
>> fixed by the previous commit.
>>
>> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
>> ---
>>  config.c | 12 ++++++++++--
>>  1 file changed, 10 insertions(+), 2 deletions(-)
>>
>> diff --git a/config.c b/config.c
>> index 9e42d38..0942e5f 100644
>> --- a/config.c
>> +++ b/config.c
>> @@ -1653,7 +1653,15 @@ int git_config_set_multivar_in_file(const char *config_filename,
>>  			MAP_PRIVATE, in_fd, 0);
>>  		close(in_fd);
>>  
>> -		if (chmod(lock->filename, st.st_mode & 07777) < 0) {
>> +		/*
>> +		 * We make of the executable bits because (a) it
> 
> We make *use* of

Thanks for catching this. But it's even worse. I meant to type "mask off".

Junio, would you mind fixing this if there is no other reason for a
re-roll? Thanks.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 0/2] Don't make $GIT_DIR executable

[Eric Wong]

Michael Haggerty <mhagger@alum.mit.edu> wrote:
> Michael Haggerty (2):
>   create_default_files(): don't set u+x bit on $GIT_DIR/config
>   config: clear the executable bits (if any) on $GIT_DIR/config

Thanks, I should've noticed this earlier :x
Tested-by: Eric Wong <normalperson@yhbt.net>

Since the damage is done, perhaps removing +x from $GIT_DIR/config on
_any_ git operation would be appropriate.

Re: [PATCH 1/2] create_default_files(): don't set u+x bit on $GIT_DIR/config

[Torsten Bögershausen]

On 2014-11-15 08.26, Michael Haggerty wrote:
The whole thing looks good to me, some minor comments below
> git_config_set() copies the permissions from the old config file to
> the new one. This is a good change in and of itself, but it interacts
> badly with create_default_files()'s sloppiness, causing "git init" to
> leave the executable bit set on $GIT_DIR/config.
> 
> So change create_default_files() to reset the permissions on
s/permissions/executable bit/ ?
> $GIT_DIR/config after its test.
> 
> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
> ---
>  builtin/init-db.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/builtin/init-db.c b/builtin/init-db.c
> index 56f85e2..95ca5e4 100644
> --- a/builtin/init-db.c
> +++ b/builtin/init-db.c
> @@ -255,6 +255,7 @@ static int create_default_files(const char *template_path)
>  		filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
>  				!lstat(path, &st2) &&
>  				st1.st_mode != st2.st_mode);
> +		chmod(path, st1.st_mode);
A "blind" chmod() is good, but I think checking the return code is better.

                filemode &= (!chmod(path, st1.st_mode));

>  	}
>  	git_config_set("core.filemode", filemode ? "true" : "false");
>   

Re: [PATCH 1/2] create_default_files(): don't set u+x bit on $GIT_DIR/config

[Michael Haggerty]

On 11/15/2014 01:06 PM, Torsten Bögershausen wrote:
> On 2014-11-15 08.26, Michael Haggerty wrote:
> The whole thing looks good to me, some minor comments below
>> git_config_set() copies the permissions from the old config file to
>> the new one. This is a good change in and of itself, but it interacts
>> badly with create_default_files()'s sloppiness, causing "git init" to
>> leave the executable bit set on $GIT_DIR/config.
>>
>> So change create_default_files() to reset the permissions on
> s/permissions/executable bit/ ?
>> $GIT_DIR/config after its test.

The code literally resets all of the permissions to their values before
the test, so I think the existing text is more accurate (even though
your version would have been fine, too).

>> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
>> ---
>>  builtin/init-db.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/builtin/init-db.c b/builtin/init-db.c
>> index 56f85e2..95ca5e4 100644
>> --- a/builtin/init-db.c
>> +++ b/builtin/init-db.c
>> @@ -255,6 +255,7 @@ static int create_default_files(const char *template_path)
>>  		filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
>>  				!lstat(path, &st2) &&
>>  				st1.st_mode != st2.st_mode);
>> +		chmod(path, st1.st_mode);
> A "blind" chmod() is good, but I think checking the return code is better.
> 
>                 filemode &= (!chmod(path, st1.st_mode));

I guess it is better to include this test, even though it is mostly
redundant with what was already determined by the previous line. I
suppose the only alternative would be to

    die("Your chmod() support is bonkers")

I will change this in v2.

Thanks for your comments!

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 0/2] Don't make $GIT_DIR executable

[Michael Haggerty]

On 11/15/2014 08:50 AM, Eric Wong wrote:
> Michael Haggerty <mhagger@alum.mit.edu> wrote:
>> Michael Haggerty (2):
>>   create_default_files(): don't set u+x bit on $GIT_DIR/config
>>   config: clear the executable bits (if any) on $GIT_DIR/config
> 
> Thanks, I should've noticed this earlier :x
> Tested-by: Eric Wong <normalperson@yhbt.net>
> 
> Since the damage is done, perhaps removing +x from $GIT_DIR/config on
> _any_ git operation would be appropriate.

I believe that the u+x bit on the config file should be pretty harmless.
Nobody is likely to try to execute their config files, and even if they
do, the file contents are unlikely to resemble a script enough to do
anything bad.

So my feeling is that it is unnecessary to make every git invocation try
to remove the u+x bit on the file. Thus I'd rather skip the code clutter
and extra system call, limiting cleanup attempts to when the config file
is being rewritten anyway.

But if other people are more alarmed than I am about having executable
config files, I could certainly be persuaded that the extra effort is
justified.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> There is no reason for $GIT_DIR/config to be executable, plus this
> change will help clean up repositories affected by the bug that was
> fixed by the previous commit.

I do not think we want to do this.

It is a welcome bugfix to create $GIT_DIR/config without executable
bit when and only when we create it.  It is very much in line with
"There is no reason for $GIT_DIR/config to be executable"---we do
not need to make it executable ourselves, so we shouldn't, but we
did which was a bug we want to fix in patch 1/2 you posted.

But with the "preserve existing permissions" fix we did earlier, the
end users are now allowed to flip the executable bit on for their
own purpose, and dropping it without knowing why they are doing so
is simply rude.  And honestly, Git do *not* even want to know why
the users want to flip the bit.

So I would suggest not to spend any cycle or any code complexity to
"repair" existing repositories.  Having that bit on does not hurt
anybody.  Those who found it curious can flip that bit off and then
Git with "preserve existing permissions" fix will keep that bit off
from then on.

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Michael Haggerty]

On 11/16/2014 07:49 PM, Junio C Hamano wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
> 
>> There is no reason for $GIT_DIR/config to be executable, plus this
>> change will help clean up repositories affected by the bug that was
>> fixed by the previous commit.
> 
> I do not think we want to do this.
> 
> It is a welcome bugfix to create $GIT_DIR/config without executable
> bit when and only when we create it.  It is very much in line with
> "There is no reason for $GIT_DIR/config to be executable"---we do
> not need to make it executable ourselves, so we shouldn't, but we
> did which was a bug we want to fix in patch 1/2 you posted.
> 
> But with the "preserve existing permissions" fix we did earlier, the
> end users are now allowed to flip the executable bit on for their
> own purpose, and dropping it without knowing why they are doing so
> is simply rude.  And honestly, Git do *not* even want to know why
> the users want to flip the bit.
> 
> So I would suggest not to spend any cycle or any code complexity to
> "repair" existing repositories.  Having that bit on does not hurt
> anybody.  Those who found it curious can flip that bit off and then
> Git with "preserve existing permissions" fix will keep that bit off
> from then on.

I disagree. The point of "preserve existing permissions" was to allow
people to make their config files more readable/writable than the
default, with the main use case being to help users who want to hide
secret information in their config files.

I think it is really far-fetched to imagine that anybody made his config
file executable on purpose. Whereas we are *sure* that we have created
lots of repositories with config files that were set executable by accident.

Let's redefine the "feature" that was added in 2.1 from "preserve
existing permissions" to "preserve existing read/write permissions" and
thereby help people clean up the mess we made.

That being said, I still believe that executable config files are not a
significant risk in practice, so I'm not going to lose sleep about it
either way.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Junio C Hamano]

Michael Haggerty <mhagger@alum.mit.edu> writes:

> On 11/16/2014 07:49 PM, Junio C Hamano wrote:
> ...
>> So I would suggest not to spend any cycle or any code complexity to
>> "repair" existing repositories.  Having that bit on does not hurt
>> anybody.  Those who found it curious can flip that bit off and then
>> Git with "preserve existing permissions" fix will keep that bit off
>> from then on.
>
> I disagree. The point of "preserve existing permissions" was to allow
> people to make their config files more readable/writable than the
> default,...

s/more/less/, I think, was the original motivation.  Having to limit
more tightly than usual was what made the "config" unusual among
files under $GIT_DIR.  If it were to loosen, Eric's change should
not have been done in the first place. The sharedRepository setting
to defeat the default umask is there for that kind of thing.

> That being said, I still believe that executable config files are not a
> significant risk ...

It is merely an annoyance, to the same degree of annoyance we find
when we see all files appear executable on a FAT floppy mounted on
Linux ;-)  I do not think it is a risk at all, and I do not see a
point in going into people's repository and actively "fixing" it.
People who notice can fix, and people who do not care do not care
and are not harmed.

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Michael Haggerty]

On 11/17/2014 04:33 PM, Junio C Hamano wrote:
> Michael Haggerty <mhagger@alum.mit.edu> writes:
> 
>> On 11/16/2014 07:49 PM, Junio C Hamano wrote:
>> ...
>>> So I would suggest not to spend any cycle or any code complexity to
>>> "repair" existing repositories.  Having that bit on does not hurt
>>> anybody.  Those who found it curious can flip that bit off and then
>>> Git with "preserve existing permissions" fix will keep that bit off
>>> from then on.
>>
>> I disagree. The point of "preserve existing permissions" was to allow
>> people to make their config files more readable/writable than the
>> default,...
> 
> s/more/less/, I think, was the original motivation. Having to limit
> more tightly than usual was what made the "config" unusual among
> files under $GIT_DIR.  If it were to loosen, Eric's change should
> not have been done in the first place. The sharedRepository setting
> to defeat the default umask is there for that kind of thing.

Oops, you are right. I actually meant to type "less or more", but I see
that "more" would be pretty useless.

>> That being said, I still believe that executable config files are not a
>> significant risk ...
> 
> It is merely an annoyance, to the same degree of annoyance we find
> when we see all files appear executable on a FAT floppy mounted on
> Linux ;-)  I do not think it is a risk at all, and I do not see a
> point in going into people's repository and actively "fixing" it.
> People who notice can fix, and people who do not care do not care
> and are not harmed.

OK, then, I'll send a new copy of patch 1/2 and drop 2/2.

Michael

-- 
Michael Haggerty
mhagger@alum.mit.edu