From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_CSS,URIBL_CSS_A shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by dcvr.yhbt.net (Postfix) with ESMTP id AE8B41F403 for ; Fri, 8 Jul 2022 00:41:20 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; unprotected) header.d=pobox.com header.i=@pobox.com header.b="U/ULVjqD"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232048AbiGHAjh (ORCPT ); Thu, 7 Jul 2022 20:39:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46628 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229572AbiGHAjf (ORCPT ); Thu, 7 Jul 2022 20:39:35 -0400 Received: from pb-smtp20.pobox.com (pb-smtp20.pobox.com [173.228.157.52]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 145001EAD1 for ; Thu, 7 Jul 2022 17:39:34 -0700 (PDT) Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 37FFD1B107E; Thu, 7 Jul 2022 20:39:33 -0400 (EDT) (envelope-from junio@pobox.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type; s=sasl; bh=hfwgriQt8cb6/DJxtlwj87yXes86yIgI6PQybj WmZLM=; b=U/ULVjqD/8TK80bHnfrRm2pAa0dQdz7SmHdG/nBAuy2rt/PL/RA3sl ev9nOAIO3obxlno0TQXcpUDQ8fs9ksbYD9lElchLBGf4mbfixn3tnp410r5C09Co CHL4hiuERZzi26JWEcDHWbhEPo7DG0GnoLae9qL0bSbEXsmgKl00A= Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 2EAE31B107D; Thu, 7 Jul 2022 20:39:33 -0400 (EDT) (envelope-from junio@pobox.com) Received: from pobox.com (unknown [34.83.92.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id D82C31B107C; Thu, 7 Jul 2022 20:39:29 -0400 (EDT) (envelope-from junio@pobox.com) From: Junio C Hamano To: "Glen Choo via GitGitGadget" Cc: git@vger.kernel.org, Taylor Blau , "brian m. carlson" , Derrick Stolee , Emily Shaffer , Jonathan Tan , =?utf-8?B?w4Z2YXIgQXJuZmrDtnI=?= =?utf-8?B?w7A=?= Bjarmason , Glen Choo Subject: Re: [PATCH v7 2/5] Documentation: define protected configuration References: <58f25612aa385c3ac9f48f908ccc4d0d02d58b8c.1657234914.git.gitgitgadget@gmail.com> Date: Thu, 07 Jul 2022 17:39:28 -0700 In-Reply-To: <58f25612aa385c3ac9f48f908ccc4d0d02d58b8c.1657234914.git.gitgitgadget@gmail.com> (Glen Choo via GitGitGadget's message of "Thu, 07 Jul 2022 23:01:51 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Pobox-Relay-ID: 6D7AAE94-FE56-11EC-9CFA-C85A9F429DF0-77302942!pb-smtp20.pobox.com Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org "Glen Choo via GitGitGadget" writes: > From: Glen Choo > > For security reasons, there are config variables that are only trusted > when they are specified in certain configuration scopes, which are > sometimes referred to on-list as 'protected configuration' [1]. A future > commit will introduce another such variable, so let's define our terms > so that we can have consistent documentation and implementation. > > In our documentation, define 'protected configuration' as the system, > global and command config scopes. As a shorthand, I will refer to > variables that are only respected in protected configuration as > 'protected configuration only', but this term is not used in the > documentation. > > This definition of protected configuration is based on whether or not > Git can reasonably protect the user by ignoring the configuration scope: > > - System, global and command line config are considered protected > because an attacker who has control over any of those can do plenty of > harm without Git, so we gain very little by ignoring those scopes. > - On the other hand, local (and similarly, worktree) config are not > considered protected because it is relatively easy for an attacker to > control local config, e.g.: > - On some shared user environments, a non-admin attacker can create a > repository high up the directory hierarchy (e.g. C:\.git on > Windows), and a user may accidentally use it when their PS1 > automatically invokes "git" commands. > > `safe.directory` prevents attacks of this form by making sure that > the user intended to use the shared repository. It obviously > shouldn't be read from the repository, because that would end up > trusting the repository that Git was supposed to reject. > - "git upload-pack" is expected to run in repositories that may not be > controlled by the user. We cannot ignore all config in that > repository (because "git upload-pack" would fail), but we can limit > the risks by ignoring `uploadpack.packObjectsHook`. This is only about the formatting, but have a blank line between each bullet-point (e.g. before the line that talks about "On some shared user enviornments, ..." and "git upload-pack"). A paragraph break within a single bullet-point (i.e. the paragraph that talks about `safe.directory` is a second paragraph of hte same bullet point as the paragraph before it) looks like a stronger break than separation between each bullet-point, which you wrote without any blank lines in between. > Only `uploadpack.packObjectsHook` is 'protected configuration only'. The > following variables are intentionally excluded: > > - `safe.directory` should be 'protected configuration only', but it does > not technically fit the definition because it is not respected in the > "command" scope. A future commit will fix this. > > - `trace2.*` happens to read the same scopes as `safe.directory` because > they share an implementation. However, this is not for security > reasons; it is because we want to start tracing so early that > repository-level config and "-c" are not available [2]. > > This requirement is unique to `trace2.*`, so it does not makes sense > for protected configuration to be subject to the same constraints. Very well reasoned.