Re: [PATCH/RFC/GSoC 3/3] t0301: test credential-cache support of XDG_RUNTIME_DIR

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Mar 17, 2016 at 12:40:59AM +0800, 惠轶群 wrote:

> > Is it better to have the fallback in /tmp, and not in
> > ~/.git-credential-cache/, and why?
> >
> > Is it because the wish is to always use /tmp/git-$uid/ as a fallback
> > for $XDG_RUNTIME_DIR (as opposed to ~/.git-credential-cache/, which
> > is specific to the credential-cache and would look strange if we
> > used it for other "runtime" things)?
> 
> Yes, I mean to use it as a general fallback for git.
> 
> xdg base dir spec does not specify where to fallback when
> $XDG_RUNTIME_DIR is not defined. It just says:
> 
> If $XDG_RUNTIME_DIR is not set applications should fall back to
> a replacement directory with similar capabilities and print a warning
> message. Applications should use this directory for communication
> and synchronization purposes and should not place larger files in it,
> since it might reside in runtime memory and cannot necessarily be
> swapped out to disk.
> 
> tmpfs is just like what it describes. And many other applications
> put socket under which, such as tmux.
> 
> On the other hand, I think, falling back to $HOME/.git-credential-cache/socket
> doesn't make any sense for back-compability cannot be ensured.

If we are going to use a publicly accessible directory like /tmp, I
think we need to start worrying about tmp-races with malicious users.

Right now we make sure that an existing socket directory is mode 0700.
That's just a courtesy check that the user didn't create it themselves
with a permissive mode. But we don't check the owner of the directory,
and our check is racy with accessing the directory.

So if we blindly use an existing /tmp/git-$uid, I think an attacker can
race with:

    dir=/tmp/git-$victimuid
    mkdir $dir
    while true; do
        chmod 0700 $dir
	chmod 0777 $dir
    done

If the victim does their mode check while the 0700 is in effect, but
then creates the socket during the 0777 moment, they won't notice
anything amiss. And the attacker will have access to their credential
socket.

This is a classic /tmp race.  I imagine it's less of an issue in this
day and age when people mostly have their own machines and their own
/tmp, but we still should not recreate the mistakes of the past.

-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]