Re: regression: "96b9e0e3 config: treat user and xdg config permission problems as errors" busted git-daemon

[Junio C Hamano <gitster@pobox.com>]

Jeff King <peff@peff.net> writes:

> So here's what I came up with. I tried to make the exception as tight as
> possible by checking that $HOME was actually the problem, as that is the
> common problem (you switch users, but HOME is pointing to the old user).
> ...
> diff --git a/daemon.c b/daemon.c
> index 131b049..6c56cc0 100644
> --- a/daemon.c
> +++ b/daemon.c
> @@ -1091,7 +1091,7 @@ static void drop_privileges(struct credentials *cred)
>  	if (cred && (initgroups(cred->pass->pw_name, cred->gid) ||
>  	    setgid (cred->gid) || setuid(cred->pass->pw_uid)))
>  		die("cannot drop privileges");
> -	setenv("GIT_CONFIG_INACCESSIBLE_HOME_OK", "1", 0);
> +	setenv(GIT_INACCESSIBLE_HOME_OK_ENVIRONMENT, "1", 0);
>  }

Compared against an unpublished diffbase???

>  
>  static struct credentials *prepare_credentials(const char *user_name,
> diff --git a/wrapper.c b/wrapper.c
> index bac59d2..644f867 100644
> --- a/wrapper.c
> +++ b/wrapper.c
> @@ -416,11 +416,52 @@ int access_or_die(const char *path, int mode)
>  	return ret;
>  }
>  
> +/*
> + * Returns true iff the path is under $HOME, that directory is inaccessible,
> + * and the user has told us through the environment that an inaccessible HOME
> + * is OK. The results are cached so that repeated calls will not make multiple
> + * syscalls.
> + */
> +static int inaccessible_home_ok(const char *path)
> +{
> +	static int gentle = -1;
> +	static int home_inaccessible = -1;
> +	const char *home;
> +
> +	if (gentle < 0)
> +		gentle = git_env_bool(GIT_INACCESSIBLE_HOME_OK_ENVIRONMENT, 0);
> +	if (!gentle)
> +		return 0;
> +
> +	home = getenv("HOME");
> +	if (!home)
> +		return 0;
> +	/*
> +	 * We do not bother with normalizing PATHs to avoid symlinks
> +	 * here, since the point is to catch paths that are
> +	 * constructed as "$HOME/...".
> +	 */
> +	if (prefixcmp(path, home) && path[strlen(home)] == '/')
> +		return 0;
> +
> +	if (home_inaccessible < 0)
> +		home_inaccessible = access(home, R_OK|X_OK) < 0 && errno == EACCES;
> +	return home_inaccessible;
> +}
> +
>  int access_or_die(const char *path, int mode)
>  {
>  	int ret = access(path, mode);
> -	if (ret && errno != ENOENT && errno != ENOTDIR)
> +	if (ret && errno != ENOENT && errno != ENOTDIR) {
> +		/*
> +		 * We do not have to worry about clobbering errno
> +		 * in inaccessible_home_ok, because we get either EACCES
> +		 * again, or we die.
> +		 */
> +		if (errno == EACCES && inaccessible_home_ok(path))
> +			return ret;

OK, so the idea is

 - The environment can tell us to ignore permission errors for paths
   under $HOME if (and only if) $HOME itself is not readable;

 - We got a permission error here.  inaccessible_home_ok() will tell
   us if the path is under $HOME and the above condition holds (in
   which case it will say "ok, ignore that error").

which sounds good, but it relies on the caller of this function not
to try actually reading from the path.

If the access() failed due to ENOENT, the caller will get a negative
return from this function and will treat it as "ok, it does not
exist", with the original or the updated code.  This new case is
treated the same way by the existing callers, i.e. pretending as if
there is _no_ file in that unreadable $HOME directory.

That semantics sounds sane and safe to me.