From: Junio C Hamano <gitster@pobox.com>
To: Michael Haggerty <mhagger@alum.mit.edu>
Cc: Joe Rayhawk <jrayhawk@freedesktop.org>, git@vger.kernel.org
Subject: Re: Shared repositories no longer securable against privilege escalation
Date: Fri, 17 Mar 2017 08:26:39 -0700 [thread overview]
Message-ID: <xmqqo9wz9b68.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <195b30d7-9ea2-7a9b-79ca-41b7bb890a30@alum.mit.edu> (Michael Haggerty's message of "Fri, 17 Mar 2017 13:07:36 +0100")
Michael Haggerty <mhagger@alum.mit.edu> writes:
> (I can't resist pointing out that the *real* bug is storing special
> references like `HEAD` in the top level of $GIT_DIR, but that can't be
> changed now.)
If you call that "pointing out", I can't resist pointing out that
you are utterly *wrong* ;-)
For one thing, HEAD.lock being the only reported case does not mean
"special refs" is the only thing, and more importantly, it will stay
to be the only thing, that would want to write directly underneath
$GIT_DIR directory. We may want to add a feature to store push
certificates whenever a signed push is made, and we are free to
decide that directly underneath $GIT_DIR is the place to do so.
Also, with your same logic, you could also say that the real bug is
not in the refs subsystem but is in the lockfile subsystem. If it
did not use $GIT_DIR/$thing.lock when locking $GIT_DIR/$thing, and
instead it used $GIT_DIR/lock/$thing to do so, you wouldn't have
needed to be able to create $GIT_DIR/HEAD.lock.
I _think_ the real bug is that somehow a user got a wrong impression
that directly underneath $GIT_DIR/ is somehow different from its
subdirectory and it is OK to make the directory unwritable. I do
not think we never intended to give such a promise, but there may be
a documentation bug that gives the wrong impression, which we may
have to fix.
We do try to make sure that in a read-only repository $GIT_DIR/ and
everything underneath can be read-only (and if that is not the case,
you found a bug), but even in that case, we do not special case
$GIT_DIR/ itself and its subdirectories.
next prev parent reply other threads:[~2017-03-17 15:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-17 0:23 Shared repositories no longer securable against privilege escalation Joe Rayhawk
2017-03-17 12:07 ` Michael Haggerty
2017-03-17 15:26 ` Junio C Hamano [this message]
2017-03-17 16:48 ` Joe Rayhawk
2017-03-17 18:10 ` Junio C Hamano
2017-03-17 17:12 ` Joe Rayhawk
2017-03-18 19:32 ` Jakub Narębski
2017-03-17 18:24 ` Junio C Hamano
2017-03-18 21:17 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqo9wz9b68.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=jrayhawk@freedesktop.org \
--cc=mhagger@alum.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).