From: Carlo Arenas <carenas@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: phillip.wood@dunelm.org.uk,
"Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
git@vger.kernel.org, bagasdotme@gmail.com,
"Guy Maurel" <guy.j@maurel.de>,
"SZEDER Gábor" <szeder.dev@gmail.com>,
"Randall Becker" <rsbecker@nexbridge.com>
Subject: Re: [PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged
Date: Fri, 6 May 2022 14:40:05 -0700 [thread overview]
Message-ID: <CAPUEsphoG75eY-SmRfFvv-sfo7pwxtaWoeWN0QbsYK7M01XyVA@mail.gmail.com> (raw)
In-Reply-To: <xmqqh762js1j.fsf@gitster.g>
On Fri, May 6, 2022 at 2:00 PM Junio C Hamano <gitster@pobox.com> wrote:
>
> Carlo Arenas <carenas@gmail.com> writes:
>
> > On Fri, May 6, 2022 at 1:00 PM Junio C Hamano <gitster@pobox.com> wrote:
> >>
> >> Carlo Arenas <carenas@gmail.com> writes:
> >>
> >> > which is also why we can't use it, any possibly bogus or suspicious
> >> > value we get from SUDO_UID MUST be ignored.
> >>
> >> I do not think I agree. If we have a strange value in SUDO_UID, it
> >> would be much better and safer to err on the safe side.
> >
> > ignoring it is the safe side; for example if we replace the current
> > function with the proposed one then some user lucky enough to have
> > access to the latest linux supercomputer that has been patched to have
> > a 64-bit uid_t (because who makes 32-bit supercomputers nowadays)
> > would get root[1] access by simply faking his SUDO_UID to be UINT_MAX
> > + 1.
>
> Since we do not pay attention to SUDO_UID unless euid is root,
> anybody who can attack by faking SUDO_UID to affect what Git does
> can already become root on the box.
Normally yes, but they just might be too clever and found instead a way to
fool sudo into generating a bogus SUDO_UID with the hopes that whoever
implemented this forgot to check for bogus values and used atoi() and
therefore grants them uid = 0 for whatever nefarious objective they
might have.
While we can't protect against a buggy sudo, we can't do the next best
thing and that is to NOT let a would-be attacker still get their 5 min
of fame by reporting a vulnerability in git, because they just made it
crash through sudo.
Especially when the impact of just ignoring them and going our merry
way is that (with the current code) we will use the euid of the user
that started sudo and "do the right thing" (tm).
> In any case, if we notice that SUDO_UID is not a valid number and
> die(), we deny the access anyway, so there is no need to write more
> code to ignore.
not sure which additional code you are referring to here, but
currently the only code to ignore is embedded in the one that is
needed to read the value, so it is not additional, except maybe for
the (uid_t)-1 check that was discussed before[1] and that is what
protects us from overflows when sizeof(long) > sizeof(uid_t) &&
UID_T_MIN >= 0, which are likely most of the systems we are expected
to run on.
if you are referring to the whole function that could be replaced by
using instead git_env_ulong() as dscho suggested, additional code
would be needed anyway to make sure that we truncate it appropriately
as what we really need is a git_env_uint32() which I am really glad to
add if you would rather go that way, but is definitely going to
require more code than what we have right now.
Note also that we will need to add a flag to it, so it doesn't try to
be helpful and allow SUDO_UID=0M to sneak in.
Carlo
[1] https://lore.kernel.org/git/CAPUEsphFb-=BcV-mxS5RZpJQ8UVq23ni0Lo8tQ4J3TP04B4KQg@mail.gmail.com/
next prev parent reply other threads:[~2022-05-06 21:40 UTC|newest]
Thread overview: 170+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 18:31 [RFC PATCH] git-compat-util: avoid failing dir ownership checks if running priviledged Carlo Marcelo Arenas Belón
2022-04-26 19:48 ` Derrick Stolee
2022-04-26 19:56 ` Junio C Hamano
2022-04-26 20:10 ` rsbecker
2022-04-26 20:45 ` Carlo Arenas
2022-04-26 21:10 ` Junio C Hamano
2022-04-26 20:12 ` Carlo Arenas
2022-04-26 20:26 ` Carlo Arenas
2022-04-29 16:16 ` Derrick Stolee
2022-04-27 0:05 ` [PATCH] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-04-27 9:33 ` Phillip Wood
2022-04-27 12:30 ` Phillip Wood
2022-04-27 14:15 ` rsbecker
2022-04-27 15:58 ` Carlo Arenas
2022-04-27 16:14 ` Phillip Wood
2022-04-27 18:54 ` Junio C Hamano
2022-04-27 20:59 ` Carlo Arenas
2022-04-27 21:09 ` rsbecker
2022-04-27 21:25 ` Junio C Hamano
2022-04-28 17:56 ` Phillip Wood
2022-04-27 15:38 ` Carlo Arenas
2022-04-27 15:50 ` rsbecker
2022-04-27 16:19 ` Junio C Hamano
2022-04-27 16:45 ` Carlo Arenas
2022-04-27 17:22 ` Phillip Wood
2022-04-27 17:49 ` rsbecker
2022-04-27 17:54 ` Carlo Arenas
2022-04-27 18:05 ` rsbecker
2022-04-27 18:11 ` Carlo Arenas
2022-04-27 18:16 ` rsbecker
2022-04-27 16:31 ` Phillip Wood
2022-04-27 16:54 ` Carlo Arenas
2022-04-27 17:28 ` Phillip Wood
2022-04-27 17:49 ` Carlo Arenas
2022-04-27 22:26 ` [RFC PATCH v2] " Carlo Marcelo Arenas Belón
2022-04-27 22:33 ` Junio C Hamano
2022-04-28 3:35 ` [PATCH 0/2] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-04-28 3:35 ` [PATCH 1/2] Documentation: explain how safe.directory works when running under sudo Carlo Marcelo Arenas Belón
2022-04-28 5:17 ` Junio C Hamano
2022-04-28 5:58 ` Carlo Arenas
2022-04-28 6:41 ` Junio C Hamano
2022-04-28 3:35 ` [PATCH 2/2] t: add tests for safe.directory when running with sudo Carlo Marcelo Arenas Belón
2022-04-28 5:34 ` Junio C Hamano
2022-04-28 4:57 ` [PATCH 0/2] fix `sudo make install` regression in maint Junio C Hamano
2022-04-28 10:58 ` [PATCH v2 0/3] " Carlo Marcelo Arenas Belón
2022-04-28 10:58 ` [PATCH v2 1/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-04-28 18:02 ` Phillip Wood
2022-04-28 18:57 ` Carlo Arenas
2022-04-28 10:58 ` [PATCH v2 2/3] Documentation: explain how safe.directory works when running under sudo Carlo Marcelo Arenas Belón
2022-04-30 6:17 ` Bagas Sanjaya
2022-04-30 6:39 ` Junio C Hamano
2022-04-30 14:15 ` Carlo Marcelo Arenas Belón
2022-04-28 10:58 ` [PATCH v2 3/3] t: add tests for safe.directory when running with sudo Carlo Marcelo Arenas Belón
2022-04-28 16:55 ` Junio C Hamano
2022-04-28 18:08 ` Phillip Wood
2022-04-28 18:12 ` Junio C Hamano
2022-05-06 17:50 ` Carlo Arenas
2022-05-06 21:43 ` Junio C Hamano
2022-05-06 22:57 ` Carlo Arenas
2022-05-06 23:55 ` Junio C Hamano
2022-05-07 11:57 ` Carlo Marcelo Arenas Belón
2022-04-28 19:53 ` rsbecker
2022-04-28 20:22 ` Carlo Arenas
2022-04-28 20:43 ` rsbecker
2022-04-28 20:51 ` Junio C Hamano
2022-04-28 20:56 ` Carlo Arenas
2022-04-28 21:55 ` rsbecker
2022-04-28 22:21 ` Junio C Hamano
2022-04-28 22:45 ` rsbecker
2022-04-28 20:46 ` Junio C Hamano
2022-04-28 20:32 ` Junio C Hamano
2022-04-28 20:40 ` rsbecker
2022-04-28 20:48 ` Carlo Arenas
2022-04-28 21:02 ` Carlo Arenas
2022-04-28 21:07 ` Junio C Hamano
2022-04-29 1:24 ` Carlo Marcelo Arenas Belón
2022-04-29 18:50 ` Junio C Hamano
2022-04-29 20:05 ` Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 1/3] t: document regression git safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-02 21:35 ` Junio C Hamano
2022-05-02 23:07 ` Carlo Arenas
2022-05-02 18:39 ` [RFC PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-02 18:39 ` [RFC PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Carlo Marcelo Arenas Belón
2022-05-02 22:10 ` Junio C Hamano
2022-05-03 0:00 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-03 6:54 ` [PATCH v3 1/3] t: document regression git safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-03 14:03 ` Phillip Wood
2022-05-03 15:56 ` Carlo Marcelo Arenas Belón
2022-05-04 11:15 ` Phillip Wood
2022-05-04 13:02 ` Carlo Arenas
2022-05-04 14:11 ` Phillip Wood
2022-05-05 13:44 ` Johannes Schindelin
2022-05-05 14:34 ` Phillip Wood
2022-05-05 15:50 ` Junio C Hamano
2022-05-05 18:33 ` Junio C Hamano
2022-05-05 19:39 ` Junio C Hamano
2022-05-06 21:03 ` Carlo Arenas
2022-05-09 8:21 ` Phillip Wood
2022-05-09 14:51 ` Carlo Arenas
2022-05-09 15:18 ` Phillip Wood
2022-05-09 16:01 ` Junio C Hamano
2022-05-09 16:21 ` Carlo Arenas
2022-05-06 17:39 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-05 14:01 ` Johannes Schindelin
2022-05-05 14:32 ` Phillip Wood
2022-05-06 19:15 ` Carlo Arenas
2022-05-06 20:00 ` Junio C Hamano
2022-05-06 20:22 ` Carlo Arenas
2022-05-06 20:59 ` Junio C Hamano
2022-05-06 21:40 ` Carlo Arenas [this message]
2022-05-06 21:07 ` rsbecker
2022-05-05 16:09 ` Junio C Hamano
2022-05-06 20:02 ` Carlo Arenas
2022-05-03 6:54 ` [PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Carlo Marcelo Arenas Belón
2022-05-03 14:12 ` Phillip Wood
2022-05-03 15:27 ` Junio C Hamano
2022-05-06 16:54 ` Carlo Arenas
2022-05-07 16:35 ` [RFC PATCH v4 0/3] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-07 16:35 ` [RFC PATCH v4 1/3] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-07 16:35 ` [RFC PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-07 17:34 ` Junio C Hamano
2022-05-07 18:56 ` Carlo Marcelo Arenas Belón
2022-05-09 16:54 ` Junio C Hamano
2022-05-09 17:36 ` rsbecker
2022-05-09 18:48 ` Carlo Arenas
2022-05-09 19:16 ` rsbecker
2022-05-09 19:41 ` Junio C Hamano
2022-05-07 16:35 ` [RFC PATCH v4 3/3] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-10 14:17 ` [RFC PATCH v4 0/3] fix `sudo make install` regression in maint Phillip Wood
2022-05-10 15:47 ` Carlo Arenas
2022-05-10 17:46 ` [PATCH " Carlo Marcelo Arenas Belón
2022-05-10 17:46 ` [PATCH v4 1/3] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-05-10 22:10 ` Junio C Hamano
2022-05-10 23:11 ` Carlo Arenas
2022-05-10 23:44 ` Junio C Hamano
2022-05-11 0:56 ` Carlo Arenas
2022-05-11 1:11 ` Junio C Hamano
2022-05-10 17:46 ` [PATCH v4 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-05-10 22:57 ` Junio C Hamano
2022-05-11 7:34 ` Carlo Arenas
2022-05-11 14:58 ` Junio C Hamano
2022-05-10 17:46 ` [PATCH v4 3/3] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-10 23:11 ` Junio C Hamano
2022-05-10 23:25 ` Junio C Hamano
2022-05-11 14:04 ` Carlo Arenas
2022-05-11 15:29 ` Junio C Hamano
2022-05-13 1:00 ` [PATCH v5 0/4] fix `sudo make install` regression in maint Carlo Marcelo Arenas Belón
2022-05-13 1:00 ` [PATCH v5 1/4] t: regression git needs safe.directory when using sudo Carlo Marcelo Arenas Belón
2022-06-03 12:12 ` SZEDER Gábor
2022-05-13 1:00 ` [PATCH v5 2/4] git-compat-util: avoid failing dir ownership checks if running privileged Carlo Marcelo Arenas Belón
2022-06-03 11:05 ` SZEDER Gábor
2022-06-03 16:54 ` Junio C Hamano
2022-06-03 17:34 ` SZEDER Gábor
2022-05-13 1:00 ` [PATCH v5 3/4] t0034: add negative tests and allow git init to mostly work under sudo Carlo Marcelo Arenas Belón
2022-05-13 1:20 ` Junio C Hamano
2022-05-14 14:36 ` Carlo Arenas
2022-05-15 16:54 ` Junio C Hamano
2022-05-15 19:21 ` Carlo Arenas
2022-05-16 5:27 ` Junio C Hamano
2022-05-16 13:07 ` Carlo Marcelo Arenas Belón
2022-05-16 16:25 ` Junio C Hamano
2022-05-13 1:00 ` [PATCH v5 4/4] git-compat-util: allow root to access both SUDO_UID and root owned Carlo Marcelo Arenas Belón
2022-06-15 14:02 ` Johannes Schindelin
2022-06-17 14:26 ` Carlo Arenas
2022-06-17 16:00 ` Junio C Hamano
2022-06-17 20:23 ` [PATCH v6] " Carlo Marcelo Arenas Belón
2022-06-17 21:02 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPUEsphoG75eY-SmRfFvv-sfo7pwxtaWoeWN0QbsYK7M01XyVA@mail.gmail.com \
--to=carenas@gmail.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=bagasdotme@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=guy.j@maurel.de \
--cc=phillip.wood@dunelm.org.uk \
--cc=rsbecker@nexbridge.com \
--cc=szeder.dev@gmail.com \
--subject='Re: [PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Code repositories for project(s) associated with this inbox:
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).