Merge branch 'cb/path-owner-check-with-sudo-plus'
"sudo git foo" used to consider a repository owned by the original user a safe one to access; it now also considers a repository owned by root a safe one, too (after all, if an attacker can craft a malicious repository owned by root, the box is 0wned already). * cb/path-owner-check-with-sudo-plus: git-compat-util: allow root to access both SUDO_UID and root owned
This commit is contained in:
Junio C Hamano
@ -30,12 +30,13 @@ that you deem safe.
|
|||||||
As explained, Git only allows you to access repositories owned by
|
As explained, Git only allows you to access repositories owned by
|
||||||
yourself, i.e. the user who is running Git, by default. When Git
|
yourself, i.e. the user who is running Git, by default. When Git
|
||||||
is running as 'root' in a non Windows platform that provides sudo,
|
is running as 'root' in a non Windows platform that provides sudo,
|
||||||
however, git checks the SUDO_UID environment variable that sudo creates
|
however, git checks the SUDO_UID environment variable that sudo creates
|
||||||
and will allow access to the uid recorded as its value instead.
|
and will allow access to the uid recorded as its value in addition to
|
||||||
|
the id from 'root'.
|
||||||
This is to make it easy to perform a common sequence during installation
|
This is to make it easy to perform a common sequence during installation
|
||||||
"make && sudo make install". A git process running under 'sudo' runs as
|
"make && sudo make install". A git process running under 'sudo' runs as
|
||||||
'root' but the 'sudo' command exports the environment variable to record
|
'root' but the 'sudo' command exports the environment variable to record
|
||||||
which id the original user has.
|
which id the original user has.
|
||||||
If that is not what you would prefer and want git to only trust
|
If that is not what you would prefer and want git to only trust
|
||||||
repositories that are owned by root instead, then you must remove
|
repositories that are owned by root instead, then you can remove
|
||||||
the `SUDO_UID` variable from root's environment before invoking git.
|
the `SUDO_UID` variable from root's environment before invoking git.
|
||||||
|
|||||||
@ -497,7 +497,12 @@ static inline int is_path_owned_by_current_uid(const char *path)
|
|||||||
|
|
||||||
euid = geteuid();
|
euid = geteuid();
|
||||||
if (euid == ROOT_UID)
|
if (euid == ROOT_UID)
|
||||||
extract_id_from_env("SUDO_UID", &euid);
|
{
|
||||||
|
if (st.st_uid == ROOT_UID)
|
||||||
|
return 1;
|
||||||
|
else
|
||||||
|
extract_id_from_env("SUDO_UID", &euid);
|
||||||
|
}
|
||||||
|
|
||||||
return st.st_uid == euid;
|
return st.st_uid == euid;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -68,7 +68,7 @@ test_expect_success 'can access if addressed explicitly' '
|
|||||||
)
|
)
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_failure SUDO 'can access with sudo if root' '
|
test_expect_success SUDO 'can access with sudo if root' '
|
||||||
(
|
(
|
||||||
cd root/p &&
|
cd root/p &&
|
||||||
sudo git status
|
sudo git status
|
||||||
@ -85,19 +85,6 @@ test_expect_success SUDO 'can access with sudo if root by removing SUDO_UID' '
|
|||||||
)
|
)
|
||||||
'
|
'
|
||||||
|
|
||||||
test_lazy_prereq SUDO_SUDO '
|
|
||||||
sudo sudo id -u >u &&
|
|
||||||
id -u root >r &&
|
|
||||||
test_cmp u r
|
|
||||||
'
|
|
||||||
|
|
||||||
test_expect_success SUDO_SUDO 'can access with sudo abusing SUDO_UID' '
|
|
||||||
(
|
|
||||||
cd root/p &&
|
|
||||||
sudo sudo git status
|
|
||||||
)
|
|
||||||
'
|
|
||||||
|
|
||||||
# this MUST be always the last test
|
# this MUST be always the last test
|
||||||
test_expect_success SUDO 'cleanup' '
|
test_expect_success SUDO 'cleanup' '
|
||||||
sudo rm -rf root
|
sudo rm -rf root
|
||||||
|
|||||||
Reference in New Issue
Block a user