On Tue, Feb 17, 2015 at 09:51:38AM +0100, Matthieu Moy wrote:
> This should be fixable from Git itself, by replacing the calls to
> "unlink" with something like
>
> int unlink_or_chmod(...) {
> if (unlink(...)) {
> chmod(...); // give user write permission
> return unlink(...);
> }
> }
>
> This does not add extra cost in the normal case, and would fix this
> particular issue for afp shares. So, I think that would fix the biggest
> problem for afp-share users without disturbing others. It seems
> reasonable to me to do that unconditionnally.
This can have security issues if you're trying to unlink a symlink, as
chmod will dereference the symlink but unlink will not. Giving the file
owner write permission may not be sufficient, as the user may be a
member of a group with write access to the repo. A malicious user who
also has access to the repo could force the current user to chmod an
arbitrary file such that it had looser permissions.
I've seen a case where Perl's ExtUtils::MakeMaker chmoded
/etc/mime.types 0666 as a result of this.
I don't think there's a secure way to implement this unless you're on an
OS with lchmod or fchmodat that supports AT_SYMLINK_NOFOLLOW. Linux is
not one of those systems.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature