git-compat-util: avoid failing dir ownership checks if running privileged

Git fork

bdc77d1d685 (Add a function to determine whether a path is owned by the
current user, 2022-03-02) checks for the effective uid of the running
process using geteuid() but didn't account for cases where that user was
root (because git was invoked through sudo or a compatible tool) and the
original uid that repository trusted for its config was no longer known,
therefore failing the following otherwise safe call:

guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty
[sudo] password for guy:
fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else)

Attempt to detect those cases by using the environment variables that
those tools create to keep track of the original user id, and do the
ownership check using that instead.

This assumes the environment the user is running on after going
privileged can't be tampered with, and also adds code to restrict that
the new behavior only applies if running as root, therefore keeping the
most common case, which runs unprivileged, from changing, but because of
that, it will miss cases where sudo (or an equivalent) was used to change
to another unprivileged user or where the equivalent tool used to raise
privileges didn't track the original id in a sudo compatible way.

Because of compatibility with sudo, the code assumes that uid_t is an
unsigned integer type (which is not required by the standard) but is used
that way in their codebase to generate SUDO_UID. In systems where uid_t
is signed, sudo might be also patched to NOT be unsigned and that might
be able to trigger an edge case and a bug (as described in the code), but
it is considered unlikely to happen and even if it does, the code would
just mostly fail safely, so there was no attempt either to detect it or
prevent it by the code, which is something that might change in the future,
based on expected user feedback.

Reported-by: Guy Maurel <guy.j@maurel.de>
Helped-by: SZEDER Gábor <szeder.dev@gmail.com>
Helped-by: Randall Becker <rsbecker@nexbridge.com>
Helped-by: Phillip Wood <phillip.wood123@gmail.com>
Suggested-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

authored by

Carlo Marcelo Arenas Belón and committed by

Junio C Hamano 3 years ago ae9abbb6 5f1a3fec

+66 -2

3 changed files

expand all

Documentation

config

safe.txt

git-compat-util.h

t0034-root-safe-directory.sh

+13

Documentation/config/safe.txt

··· 26 26 is set in system config and you want to re-enable this protection, then 27 27 initialize your list with an empty value before listing the repositories 28 28 that you deem safe. 29 + + 30 + As explained, Git only allows you to access repositories owned by 31 + yourself, i.e. the user who is running Git, by default. When Git 32 + is running as 'root' in a non Windows platform that provides sudo, 33 + however, git checks the SUDO_UID environment variable that sudo creates 34 + and will allow access to the uid recorded as its value instead. 35 + This is to make it easy to perform a common sequence during installation 36 + "make && sudo make install". A git process running under 'sudo' runs as 37 + 'root' but the 'sudo' command exports the environment variable to record 38 + which id the original user has. 39 + If that is not what you would prefer and want git to only trust 40 + repositories that are owned by root instead, then you must remove 41 + the `SUDO_UID` variable from root's environment before invoking git.

+52 -1

git-compat-util.h

··· 393 393 #endif 394 394 395 395 #ifndef is_path_owned_by_current_user 396 + 397 + #ifdef __TANDEM 398 + #define ROOT_UID 65535 399 + #else 400 + #define ROOT_UID 0 401 + #endif 402 + 403 + /* 404 + * Do not use this function when 405 + * (1) geteuid() did not say we are running as 'root', or 406 + * (2) using this function will compromise the system. 407 + * 408 + * PORTABILITY WARNING: 409 + * This code assumes uid_t is unsigned because that is what sudo does. 410 + * If your uid_t type is signed and all your ids are positive then it 411 + * should all work fine. 412 + * If your version of sudo uses negative values for uid_t or it is 413 + * buggy and return an overflowed value in SUDO_UID, then git might 414 + * fail to grant access to your repository properly or even mistakenly 415 + * grant access to someone else. 416 + * In the unlikely scenario this happened to you, and that is how you 417 + * got to this message, we would like to know about it; so sent us an 418 + * email to git@vger.kernel.org indicating which platform you are 419 + * using and which version of sudo, so we can improve this logic and 420 + * maybe provide you with a patch that would prevent this issue again 421 + * in the future. 422 + */ 423 + static inline void extract_id_from_env(const char *env, uid_t *id) 424 + { 425 + const char *real_uid = getenv(env); 426 + 427 + /* discard anything empty to avoid a more complex check below */ 428 + if (real_uid && *real_uid) { 429 + char *endptr = NULL; 430 + unsigned long env_id; 431 + 432 + errno = 0; 433 + /* silent overflow errors could trigger a bug here */ 434 + env_id = strtoul(real_uid, &endptr, 10); 435 + if (!*endptr && !errno) 436 + *id = env_id; 437 + } 438 + } 439 + 396 440 static inline int is_path_owned_by_current_uid(const char *path) 397 441 { 398 442 struct stat st; 443 + uid_t euid; 444 + 399 445 if (lstat(path, &st)) 400 446 return 0; 401 - return st.st_uid == geteuid(); 447 + 448 + euid = geteuid(); 449 + if (euid == ROOT_UID) 450 + extract_id_from_env("SUDO_UID", &euid); 451 + 452 + return st.st_uid == euid; 402 453 } 403 454 404 455 #define is_path_owned_by_current_user is_path_owned_by_current_uid

+1 -1

t/t0034-root-safe-directory.sh

··· 28 28 ) 29 29 ' 30 30 31 - test_expect_failure SUDO 'sudo git status as original owner' ' 31 + test_expect_success SUDO 'sudo git status as original owner' ' 32 32 ( 33 33 cd root/r && 34 34 git status &&