From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Jeff King <peff@peff.net>
Cc: Jonathan Nieder <jrnieder@gmail.com>,
git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>,
Brandon Williams <bwilliamseng@gmail.com>,
Jonathan Tan <jonathantanmy@google.com>
Subject: Re: [PATCH v2 8/8] tests: mark tests broken under GIT_TEST_PROTOCOL_VERSION=2
Date: Tue, 18 Dec 2018 14:10:19 +0100 [thread overview]
Message-ID: <87d0pzf0as.fsf@evledraar.gmail.com> (raw)
In-Reply-To: <20181218123646.GA30471@sigill.intra.peff.net>
On Tue, Dec 18 2018, Jeff King wrote:
> On Mon, Dec 17, 2018 at 03:14:52PM -0800, Jonathan Nieder wrote:
>
>> > IMHO those security guarantees there are overrated (due to delta
>> > guessing attacks, though things are not quite as bad if the attacker
>> > can't actually push to the repo).
>>
>> Do you have a proof of concept for delta guessing? My understanding
>> was that without using a broken hash (e.g. uncorrected SHA-1), it is
>> not feasible to carry out.
>
> I think we may be talking about two different things. I mean an attack
> where you want to know what is in object X, so you ask the server for
> object Y and tell it that you already have X. If the sender generates a
> delta against X, that tells you something about what's in X.
>
> For a pure read-only server, you're restricted to the Y's that are
> already in the repo. So how effective this is depends on what's in X,
> and what Y's are available.
>
> For a case where X is in a victim repo you cannot make arbitrary writes
> to, but you _can_ make the victim repo aware of other objects (e.g., by
> opening a pull request that creates a ref), then you can iteratively
> provide many Y's, improving your guess about X in each iteration.
>
> For a case where the victim repo has fully shared storage (GitHub, and
> probably other hosts; I'm not sure if it's available yet, but GitLab is
> clearly working on shared-storage too), you can probably skip all that
> and just push a ref pointing to X with an empty pack (Git just cares
> that it has all of the objects afterwards, not that you pushed them).
>
> None of those care about the quality of the hash (they do assume you
> know the hash of X already, but then so does fetching by object id).
>
> And no, I've never written a proof-of-concept for that. It would depend
> largely on the data you're trying to extract. E.g., if you think X
> contains "root:XXXXXX", then you might hope to ask for "root:AXXXXX",
> then "root:BXXXXX", etc. You know you've got a hit when the delta gets
> smaller. So the complexity for guessing N bytes becomes 256*N, rather
> than 256^N.
>
>> > But I agree that people do assume it's the case. I was certainly
>> > surprised by the v2 behavior, and I don't remember that aspect being
>> > discussed.
>>
>> IMHO it's a plain bug (either in implementation or documentation).
>
> Or both. :) The behavior and the documentation seem to agree.
>
>> [...]
>> >> I'm inclined to say that in the face of that "SECURITY" section we
>> >> should just:
>> >>
>> >> * Turn on uploadpack.allowReachableSHA1InWant for v0/v1 by
>> >> default. Make saying uploadpack.allowReachableSHA1InWant=false warn
>> >> with "this won't work, see SECURITY...".
>> >>
>> >> * The uploadpack.allowTipSHA1InWant setting will also be turned on by
>> >> default, and will be much faster, since it'll just degrade to
>> >> uploadpack.allowReachableSHA1InWant=true and we won't need any
>> >> reachability check. We'll also warn saying that setting it is
>> >> useless.
>> >
>> > No real argument from me. I have always thought those security
>> > guarantees were BS.
>>
>> This would make per-branch ACLs (as implemented both by Gerrit and
>> gitolite) an essentially useless feature, so please no.
>
> I think Ævar's argument is that those are providing a false sense of
> security now (at least for read permissions).
>
> Let me clarify my position a little.
>
> I won't claim the existing scheme provides _no_ value (especially the
> pure read-only case above is less dicey than the others). It's mostly
> that the protections are very hand-wavy. I don't trust them _now_, and I
> have little faith that other innocent-looking changes to the object
> negotiation and the packing code will not significantly weaken them.
> There's no security boundary expressed within Git's code, so there's a
> very high chance of information leaking accidentally. A trustable system
> would have boundaries built in from the ground up.
>
> Enough people seem to believe otherwise (i.e., that the hand-waving
> arguments are worth _something_) that I've never pushed to actually
> change the default behavior. But if Ævar wants to try to do so, I'm not
> going to stand in my way (hence my "no argument from me").
FWIW I don't really care about this, I don't rely on
uploadpack.allow{Tip,Reachable,Any}SHA1InWant=false I'm just on the
side-quest of:
1. Try protocol v2
2. Discover that v2 implictly has uploadpack.allowAnySHA1InWant=true
enabled
3. Some people (including Jonathan) can reasonable read our docs /
seem to have understood this to be a security mechanism
4. What are we going to do about that v1 & v2 discrepancy? [You are
here!]
The genreal ways I see forward from that are:
A) Say that v2 has a security issue and that this is a feature that
works in some circumstances, but given Jeff's explanation here we
should at least improve our "SECURITY" docs to be less handwaivy.
B) Improve security docs, turn uploadpack.allowAnySHA1InWant=true on by
default, allow people to turn it off.
C) Like B) but deprecate
uploadpack.allow{Tip,Reachable,Any}SHA1InWant=false. This is my
patch upthread
D-Z) ???
I'm not set on C), and yeah it's probably overzelous to just rip the
thing out, but then what should we do?
>> I would be all for changing the default, but making turning off
>> allowReachableSHA1InWant an unsupported deprecated thing is a step too
>> far, in my opinion.
>
> Yes, I agree if we were to go down this road, it probably makes sense to
> flip the knobs and let them be "unflipped" if the user wants.
>
>> Is there somewhere that we can document these kinds of invariants or
>> goals so that we don't have to keep repeating the same discussions?
>
> It's not clear to me that there's consensus on the invariants or goals.
> ;)
>
> -Peff
next prev parent reply other threads:[~2018-12-18 13:10 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 10:42 [PATCH 0/3] protocol v2 and hidden refs Jeff King
2018-12-11 10:43 ` [PATCH 1/3] serve: pass "config context" through to individual commands Jeff King
2018-12-14 2:09 ` Junio C Hamano
2018-12-14 8:20 ` Jeff King
2018-12-15 0:31 ` Junio C Hamano
2018-12-16 10:25 ` Jeff King
2018-12-16 11:12 ` Junio C Hamano
2018-12-18 12:47 ` Jeff King
2018-12-14 8:36 ` Jonathan Nieder
2018-12-14 8:55 ` Jeff King
2018-12-14 9:28 ` Jonathan Nieder
2018-12-14 9:55 ` Jeff King
2018-12-11 10:43 ` [PATCH 2/3] parse_hide_refs_config: handle NULL section Jeff King
2018-12-14 2:11 ` Junio C Hamano
2018-12-11 10:44 ` [PATCH 3/3] upload-pack: support hidden refs with protocol v2 Jeff King
2018-12-11 11:45 ` [PATCH 0/3] protocol v2 and hidden refs Ævar Arnfjörð Bjarmason
2018-12-11 13:55 ` Jeff King
2018-12-11 21:21 ` [PATCH 0/3] Add a GIT_TEST_PROTOCOL_VERSION=X test mode Ævar Arnfjörð Bjarmason
2018-12-11 21:24 ` Ævar Arnfjörð Bjarmason
2018-12-11 21:21 ` [PATCH 1/3] tests: add a special setup where for protocol.version Ævar Arnfjörð Bjarmason
2018-12-12 0:27 ` [PATCH 0/3] Some fixes and improvements Jonathan Tan
2018-12-12 0:27 ` [PATCH 1/3] squash this into your patch Jonathan Tan
2018-12-12 0:27 ` [PATCH 2/3] builtin/fetch-pack: support protocol version 2 Jonathan Tan
2018-12-12 0:27 ` [PATCH 3/3] also squash this into your patch Jonathan Tan
2018-12-13 2:49 ` [PATCH 0/3] Some fixes and improvements Junio C Hamano
2018-12-13 15:58 ` [PATCH v2 0/8] protocol v2 fixes Ævar Arnfjörð Bjarmason
2018-12-17 22:40 ` [PATCH v3 0/4] " Ævar Arnfjörð Bjarmason
2018-12-18 12:48 ` Jeff King
2018-12-17 22:40 ` [PATCH v3 1/4] serve: pass "config context" through to individual commands Ævar Arnfjörð Bjarmason
2018-12-17 22:40 ` [PATCH v3 2/4] parse_hide_refs_config: handle NULL section Ævar Arnfjörð Bjarmason
2018-12-17 22:40 ` [PATCH v3 3/4] upload-pack: support hidden refs with protocol v2 Ævar Arnfjörð Bjarmason
2018-12-17 22:40 ` [PATCH v3 4/4] fetch-pack: support protocol version 2 Ævar Arnfjörð Bjarmason
2019-01-08 19:45 ` Junio C Hamano
2019-01-08 20:38 ` Jonathan Tan
2019-01-08 21:14 ` Jeff King
2018-12-13 15:58 ` [PATCH v2 1/8] serve: pass "config context" through to individual commands Ævar Arnfjörð Bjarmason
2018-12-13 15:58 ` [PATCH v2 2/8] parse_hide_refs_config: handle NULL section Ævar Arnfjörð Bjarmason
2018-12-13 15:58 ` [PATCH v2 3/8] upload-pack: support hidden refs with protocol v2 Ævar Arnfjörð Bjarmason
2018-12-13 15:58 ` [PATCH v2 4/8] tests: add a check for unportable env --unset Ævar Arnfjörð Bjarmason
2018-12-13 15:58 ` [PATCH v2 5/8] tests: add a special setup where for protocol.version Ævar Arnfjörð Bjarmason
2018-12-13 19:48 ` Jonathan Tan
2018-12-13 15:58 ` [PATCH v2 6/8] tests: mark & fix tests broken under GIT_TEST_PROTOCOL_VERSION=1 Ævar Arnfjörð Bjarmason
2018-12-13 15:58 ` [PATCH v2 7/8] builtin/fetch-pack: support protocol version 2 Ævar Arnfjörð Bjarmason
2018-12-14 10:17 ` Jeff King
2018-12-13 15:58 ` [PATCH v2 8/8] tests: mark tests broken under GIT_TEST_PROTOCOL_VERSION=2 Ævar Arnfjörð Bjarmason
2018-12-13 16:08 ` Ævar Arnfjörð Bjarmason
2018-12-14 2:18 ` Junio C Hamano
2018-12-14 10:12 ` Jeff King
2018-12-14 10:55 ` Ævar Arnfjörð Bjarmason
2018-12-14 11:08 ` Ævar Arnfjörð Bjarmason
2018-12-17 19:59 ` Jeff King
2018-12-17 19:57 ` Jeff King
2018-12-17 22:16 ` [PATCH] upload-pack: turn on uploadpack.allowAnySHA1InWant=true Ævar Arnfjörð Bjarmason
2018-12-17 22:34 ` David Turner
2018-12-17 22:57 ` Ævar Arnfjörð Bjarmason
2018-12-17 23:07 ` David Turner
2018-12-17 23:14 ` [PATCH v2 8/8] tests: mark tests broken under GIT_TEST_PROTOCOL_VERSION=2 Jonathan Nieder
2018-12-17 23:36 ` Ævar Arnfjörð Bjarmason
2018-12-18 0:02 ` Jonathan Nieder
2018-12-18 9:28 ` Ævar Arnfjörð Bjarmason
2018-12-18 12:41 ` Jeff King
2018-12-18 12:36 ` Jeff King
2018-12-18 13:10 ` Ævar Arnfjörð Bjarmason [this message]
2018-12-26 22:14 ` Junio C Hamano
2018-12-27 11:26 ` Ævar Arnfjörð Bjarmason
2018-12-27 17:10 ` Jonathan Nieder
2018-12-11 21:21 ` [PATCH 2/3] tests: mark tests broken under GIT_TEST_PROTOCOL_VERSION=1 Ævar Arnfjörð Bjarmason
2018-12-11 21:21 ` [PATCH 3/3] tests: mark tests broken under GIT_TEST_PROTOCOL_VERSION=2 Ævar Arnfjörð Bjarmason
2018-12-13 19:53 ` [PATCH 0/3] protocol v2 and hidden refs Jonathan Tan
2018-12-14 8:35 ` Jeff King
2018-12-15 19:53 ` Ævar Arnfjörð Bjarmason
2018-12-16 10:40 ` Jeff King
2018-12-16 11:47 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d0pzf0as.fsf@evledraar.gmail.com \
--to=avarab@gmail.com \
--cc=bwilliamseng@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jonathantanmy@google.com \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).