-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I've noticed some behavior of git that might lead to some security issues if the user is not aware of this. Assume we have an evil user on a system, let's call him eve. He prepares a repository where he allows other user to push changes to. If he now adds a post-receive hook, git will happly execute it as whatever user pushes to this repository: root@argon /tmp/git-eve # ls -l /tmp/git-eve/hooks/post-receive -rwxr-xr-x 1 eve users [...] /tmp/git-eve/hooks/post-receive root@argon /tmp/git-root # cat /tmp/git-eve/hooks/post-receive #!/bin/sh id root@argon /tmp/git-root # git push /tmp/git-eve master Counting objects: 3, done. Writing objects: 100% (3/3), 185 bytes | 0 bytes/s, done. Total 3 (delta 0), reused 0 (delta 0) remote: uid=0(root) gid=0(root) groups=0(root),[...] To /tmp/git-eve * [new branch] master -> master Something similiar might happen if eve adds some alias to the config file in the repository and grants any other user read access to the repository. These aliases will be executed when some other user is running any git command in this repository. Even though git does not allow defining aliases for existing commands, you might mistype something, so adding an alias for "lg" instead of "log" might succeed: root@argon /tmp/git-eve # ls -l /tmp/git-eve/config -rw-r--r-- 1 eve users [...] /tmp/git-eve/config root@argon /tmp/git-eve # cat config [core] repositoryformatversion = 0 filemode = true bare = true [alias] lg = !id root@argon /tmp/git-eve # git lg uid=0(root) gid=0(root) groups=0(root),[...] This gets even worse if you know something about the aliases your victim uses, so for example you can override an alias 'l = log' defined in the user's config with something malicious in the repository config file. I'd suggest taking a similar approach as Mercurial [1], i.e. ignoring configuration files and hooks owned by another user unless the owner is explicitly trusted. Regards, Julian [1] http://mercurial.selenic.com/wiki/Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJTGOz5AAoJECLcYT6QIdBtJLEP/1VPMyRws5IYOVXJDcLukxkh 87RuL6ZCXE9v66VgEmTYYtJx1Umy18YXCx+ufAuJL2xzo/QH/QhWl/npa+U3ac7D 2A/3rXt1PvdzoQeT3514t5ntO9WyquHE2N8Ix+xdxwFo/T+Ve+nDV8/hra9he1Nb zdldBccyHBDQdEudBLs6tDoJU9fvQ4TAGCGw7CXHCDV4hhyXHt8Nyf9nNOWxXgYh 5QcDs0sj1MCFm5AdN1SOU7FobiwS//Q8QdKdr9O6L18IoUPnSw2a1S2hGJmwQ/IL Y1nQMdFuSx+4n6KKgUBtlo4WTi38u98FG4N0MXqZOSX7SKDVEOYfF+1W31Trhtuw KMtojlwBYXsq0CWrW1OQ4Oed91lDGBtLLzF8MSCN1NoG4+Eb/V+RueLzulC5lWU/ IpDr3d14vFBEydHzYY+35P57Rf2Fl5HkXLQzQ0UmROeAmhUVCnduRj4dn35nb47Z G/73UdgX1FMB4lOD8kD9KX0Sov3XLz4n5u706h+lElapd24wBXlaysWVpsmImuW0 xPLSpX0Dfrtj0sOCvqM0oX40z3bCJ1ibqZOmPGwF0P66DJOOq9sqDYfHlgnvt/qU pCqsy0+FyCUuGP17UliEWcFAfdzXrUhxkRneQXC8ieX8YSoP4OtjzIPHrsc54s/2 7VR0wCTxaHvd05T8WruK =kc4p -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html