On April 26, 2022 3:56 PM, Junio C Hamano wrote: >Subject: Re: [RFC PATCH] git-compat-util: avoid failing dir ownership checks if >running priviledged > >Derrick Stolee <derrickstolee@xxxxxxxxxx> writes: > >>> Original discussion in : >>> >>> >>> https://lore.kernel.org/git/4ef9287b-6260-9538-7c89-cffb611520ee@maur >>> el.de/ >> >> I agree that the idea behind this change is a good one. The escalation >> of privilege isn't a huge concern when the "real" user is the same. >> The only way to trick the root user here is to set an environment >> variable, in which case they might as well modify PATH and be done >> with it. > >How much do we really want to trust SUDO_UID or DOSA_UID are telling the >truth, though? > >>> + euid = geteuid(); >>> + if (euid == ROOT_UID) { >>> + /* we might have raised our priviledges with sudo or doas */ >> >> Similar spelling error here. >> >>> + const char *real_uid = getenv("SUDO_UID"); >>> + if (real_uid && *real_uid) >>> + euid = atoi(real_uid); >>> + else { >>> + real_uid = getenv("DOAS_UID"); >>> + if (real_uid && *real_uid) >>> + euid = atoi(real_uid); This should be strtol() instead of atoi(). Putting garbage into DOAS_UID might end up causing some unwanted effects since atoi() could then return 0 or some partial value. The result should also be checked for sanity and the end pointer should point to a '\0'. My team has effectively banned the use of atoi() in new code and is migrating to strtol() or strtoll() as code is touched. >>> + } >> >> I imagine that something else could be added here to help Windows >> users who have elevated to administrator privileges. It will use a >> completely different mechanism, though, if needed at all. We can delay >> that for now. >> >> Thanks, >> -Stolee
