Hi Carlo
On 27/04/2022 01:05, Carlo Marcelo Arenas Belón wrote:
bdc77d1d685 (Add a function to determine whether a path is owned by the
current user, 2022-03-02) checks for the effective uid of the running
process using geteuid() but didn't account for cases where that uid was
root (because git was invoked through sudo or a compatible tool) and the
original user that repository trusted for its config was different,
therefore failing the following common use case:
guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty
[sudo] password for guy:
fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else)
Attempt to detect those cases by using the environment variables that
sudo or compatible tools create to keep track of the original user id,
and do the ownership check using that instead.
This assumes the environment the user is running with after going
privileged can't be tampered with, and also does the check only for
root to keep the most common case less complicated, but as a side effect
will miss cases where sudo (or an equivalent) was used to change to
another unprivileged user or where the equivalent tool used to raise
privileges didn't track the original id in a sudo compatible way.
Reported-by: Guy Maurel <guy.j@xxxxxxxxx>
Helped-by: SZEDER Gábor <szeder.dev@xxxxxxxxx>
Helped-by: Randall Becker <rsbecker@xxxxxxxxxxxxx>
Suggested-by: Johannes Schindelin <Johannes.Schindelin@xxxxxx>
Signed-off-by: Carlo Marcelo Arenas Belón <carenas@xxxxxxxxx>
---
Changes since RFC
* Addresses all spelling errors, even the ones not reported and even if I
am sure "priviledged" is a nicer sounding word even if obsoleted.
* Uses strtol instead of atoi as suggested by Randall and Junio, the extra
error checking was too much to handle inline so a new helper function
was added.
* Removes checks for DOAS_UID, in an attempt to make the change smaller
and because that is part of an extention that might not be that common.
This means `doas` is still broken, but that was punted for now.
* Has been tested a little more, but is still missing a test case, but
as Derrick pointed out doing so is not trivial, so punted for now.
git-compat-util.h | 38 +++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/git-compat-util.h b/git-compat-util.h
index 58fd813bd01..9bb0eb5087a 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -437,12 +437,48 @@ static inline int git_offset_1st_component(const char *path)
#endif
#ifndef is_path_owned_by_current_user
+
+#ifdef __TANDEM
+#define ROOT_UID 65535
+#else
+#define ROOT_UID 0
+#endif
+
+/*
+ * this helper function overrides a ROOT_UID with the one provided by
+ * an environment variable, do not use unless the original uid is
+ * root
+ */
+static inline int extract_id_from_env(const char *env, uid_t *id)
Do we really want this living in git-compat-util.h?
+{
+ const char *real_uid = getenv(env);
+
+ if (real_uid && *real_uid) {
+ char *error;
+ long extracted_id = strtol(real_uid, &error, 10);
+ if (!*error && LONG_MIN < extracted_id &&
+ extracted_id < LONG_MAX) {
strtol() returns a long so the last two checks are redundant. The
standard is silent on what happens to error when the value is out of
range. The way to check that all the string was consumed without
underflow/overflow is
errno = 0;
val = strtol(str, &endp, 10);
if (errno || !*endp)
error(...)
In this case I think negative values make no sense as I believe uids are
always positive integers so we should add a check for "extracted_id < 0"
+ *id = (uid_t)extracted_id;
There is a potential integer truncation here which could lead to false
positives. I'm not sure that there is a way to query the maximum valid
uid but we could do
#if sizeof(uid_t) == sizeof(int)
if (extracted_id > INT_MAX)
error(...)
#endif
Unfortunately I think we need to use #if rather than if to prevent
compilers complaining that the condition is always true or always false.
Checking the real user id from an environment variable makes me feel a
bit queasy but as others have pointed out if an attacker can mess with
the users environment then they can already override $PATH.
Best Wishes
Phillip
+ return 1;
+ }
+ }
+ return 0;
+}
+
static inline int is_path_owned_by_current_uid(const char *path)
{
struct stat st;
+ uid_t euid;
+
if (lstat(path, &st))
return 0;
- return st.st_uid == geteuid();
+
+ euid = geteuid();
+ if (euid == ROOT_UID) {
+ /* we might have raised our privileges with sudo */
+ extract_id_from_env("SUDO_UID", &euid);
+ }
+ return st.st_uid == euid;
}
#define is_path_owned_by_current_user is_path_owned_by_current_uid