bdc77d1d685 (Add a function to determine whether a path is owned by the current user, 2022-03-02) checks for the effective uid of the running process using geteuid() but didn't account for cases where that uid was root (because git was invoked through sudo or a compatible tool) and the original user that repository trusted for its config was different, therefore failing the following common use case: guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty [sudo] password for guy: fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else) Attempt to detect those cases by using the environment variables that sudo or compatible tools create to keep track of the original user id, and do the ownership check using that instead. This assumes the environment the user is running with after going privileged can't be tampered with, and also does the check only for root to keep the most common case less complicated, but as a side effect will miss cases where sudo (or an equivalent) was used to change to another unprivileged user or where the equivalent tool used to raise privileges didn't track the original id in a sudo compatible way. Reported-by: Guy Maurel <guy.j@xxxxxxxxx> Helped-by: SZEDER Gábor <szeder.dev@xxxxxxxxx> Helped-by: Randall Becker <rsbecker@xxxxxxxxxxxxx> Suggested-by: Johannes Schindelin <Johannes.Schindelin@xxxxxx> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@xxxxxxxxx> --- Changes since RFC * Addresses all spelling errors, even the ones not reported and even if I am sure "priviledged" is a nicer sounding word even if obsoleted. * Uses strtol instead of atoi as suggested by Randall and Junio, the extra error checking was too much to handle inline so a new helper function was added. * Removes checks for DOAS_UID, in an attempt to make the change smaller and because that is part of an extention that might not be that common. This means `doas` is still broken, but that was punted for now. * Has been tested a little more, but is still missing a test case, but as Derrick pointed out doing so is not trivial, so punted for now. git-compat-util.h | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/git-compat-util.h b/git-compat-util.h index 58fd813bd01..9bb0eb5087a 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -437,12 +437,48 @@ static inline int git_offset_1st_component(const char *path) #endif #ifndef is_path_owned_by_current_user + +#ifdef __TANDEM +#define ROOT_UID 65535 +#else +#define ROOT_UID 0 +#endif + +/* + * this helper function overrides a ROOT_UID with the one provided by + * an environment variable, do not use unless the original uid is + * root + */ +static inline int extract_id_from_env(const char *env, uid_t *id) +{ + const char *real_uid = getenv(env); + + if (real_uid && *real_uid) { + char *error; + long extracted_id = strtol(real_uid, &error, 10); + if (!*error && LONG_MIN < extracted_id && + extracted_id < LONG_MAX) { + *id = (uid_t)extracted_id; + return 1; + } + } + return 0; +} + static inline int is_path_owned_by_current_uid(const char *path) { struct stat st; + uid_t euid; + if (lstat(path, &st)) return 0; - return st.st_uid == geteuid(); + + euid = geteuid(); + if (euid == ROOT_UID) { + /* we might have raised our privileges with sudo */ + extract_id_from_env("SUDO_UID", &euid); + } + return st.st_uid == euid; } #define is_path_owned_by_current_user is_path_owned_by_current_uid -- 2.36.0.266.g59f845bde02