From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Joe Rayhawk <jrayhawk@freedesktop.org>
Cc: Git Mailing List <git@vger.kernel.org>
Subject: Re: Shared repositories no longer securable against privilege escalation
Date: Sat, 18 Mar 2017 22:17:50 +0100 [thread overview]
Message-ID: <CACBZZX4VApZnO1u708nxqq711K7PD66U=mTT2tjnbt2XjxmQew@mail.gmail.com> (raw)
In-Reply-To: <148971018136.2144.12683278043600094739@richardiv.omgwallhack.org>
On Fri, Mar 17, 2017 at 1:23 AM, Joe Rayhawk <jrayhawk@freedesktop.org> wrote:
> Git has started requiring write access to the root of bare repositories
> in order to create /HEAD.lock. This is a major security problem in
> shared environments as it also entails control over the /config link
> i.e. core.hooksPath. Permission to write objects and update refs should
> be entirely separate from permission to edit hook execution logic.
[Full disclosure: I implemented core.hooksPath]
The core.hooksPath facility doesn't introduce any sort of new security
problems that didn't exist already, and if you're just focusing on the
sort of problems changing core.hooksPath might bring up you're still
vulnerable to those.
If you give me general shell access to some repo where I can write
refs and objects you can't use hooks to sanity check anything I push.
E.g. let's say you have an "update" hook which makes sure I can't push
binaries (malware) to your "master" branch. I can just push that to
some other branch, then log in and run:
echo <new_sha1> > /path/to/bare/repo.git/refs/heads/master
Ah ha! You might say, you'll just make that update hook run for any
branch or reference! That doesn't matter either, if you give me write
access to objects/ and refs/ I can just manually echo the objects I
want there, and then manually update the ref.
If you want to run a shared repository via ssh login where you want to
reliably execute hooks you need to either use something like Gitolite,
as Jakub points out, or e.g. set the user's shell to git-shell or some
similar facility which whitelists the commands the user can run.
Anything else is just security through obscurity.
prev parent reply other threads:[~2017-03-18 21:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-17 0:23 Shared repositories no longer securable against privilege escalation Joe Rayhawk
2017-03-17 12:07 ` Michael Haggerty
2017-03-17 15:26 ` Junio C Hamano
2017-03-17 16:48 ` Joe Rayhawk
2017-03-17 18:10 ` Junio C Hamano
2017-03-17 17:12 ` Joe Rayhawk
2017-03-18 19:32 ` Jakub Narębski
2017-03-17 18:24 ` Junio C Hamano
2017-03-18 21:17 ` Ævar Arnfjörð Bjarmason [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACBZZX4VApZnO1u708nxqq711K7PD66U=mTT2tjnbt2XjxmQew@mail.gmail.com' \
--to=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=jrayhawk@freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).