A more involved refactoring, but mainly for the benefit of long term maintanability, by making the code and documentation changes together and splitting the tests into pre/post sections, which should hopefully also make all deficiences of the approach taken clear but still be useful enough to support the current usecases and allow for future extensions. Carlo Marcelo Arenas Belón (3): t: document regression git safe.directory when using sudo git-compat-util: avoid failing dir ownership checks if running privileged t0034: enhance framework to allow testing more commands under sudo Documentation/config/safe.txt | 9 +++ git-compat-util.h | 40 ++++++++++++- t/lib-sudo.sh | 31 ++++++++++ t/t0034-root-safe-directory.sh | 100 +++++++++++++++++++++++++++++++++ 4 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 t/lib-sudo.sh create mode 100755 t/t0034-root-safe-directory.sh A range-diff from the previous version (in case someone finds it useful) shown below: -: ----------- > 1: 51d0d485b5f t: document regression git safe.directory when using sudo 1: b0436d4a50a ! 2: 4928ad698e2 git-compat-util: avoid failing dir ownership checks if running privileged @@ Commit message those tools create to keep track of the original user id, and do the ownership check using that instead. - This assumes the environment the user is running with after going - privileged can't be tampered with, and also does the check only for - root to keep the most common case less complicated, but as a side effect - will miss cases where sudo (or an equivalent) was used to change to - another unprivileged user or where the equivalent tool used to raise + This assumes the environment the user is running on after going + privileged can't be tampered with, and also adds code to restrict that + the new behavior only applies if running as root, therefore keeping the + most common case, which runs unprivileged, from changing, but because of + that, it will miss cases where sudo (or an equivalent) was used to change + to another unprivileged user or where the equivalent tool used to raise privileges didn't track the original id in a sudo compatible way. Reported-by: Guy Maurel <guy.j@xxxxxxxxx> @@ Commit message Helped-by: Phillip Wood <phillip.wood123@xxxxxxxxx> Suggested-by: Johannes Schindelin <Johannes.Schindelin@xxxxxx> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@xxxxxxxxx> - Signed-off-by: Junio C Hamano <gitster@xxxxxxxxx> + + ## Documentation/config/safe.txt ## +@@ Documentation/config/safe.txt: directory was listed in the `safe.directory` list. If `safe.directory=*` + is set in system config and you want to re-enable this protection, then + initialize your list with an empty value before listing the repositories + that you deem safe. +++ ++When git tries to check for ownership of git repositories, it will ++obviously do so with the uid of the user that is running git itself, ++but if git is running as root, it will check first if it might have ++been started through `sudo`, and if that is the case, will instead ++use the uid of the user that did so. ++If that is not what you would prefer and want git to only trust ++repositories that are owned by root instead, then you should remove ++the `SUDO_UID` variable from root's environment. ## git-compat-util.h ## @@ git-compat-util.h: static inline int git_offset_1st_component(const char *path) @@ git-compat-util.h: static inline int git_offset_1st_component(const char *path) } #define is_path_owned_by_current_user is_path_owned_by_current_uid + + ## t/t0034-root-safe-directory.sh ## +@@ t/t0034-root-safe-directory.sh: test_expect_success SUDO 'setup' ' + ) + ' + +-test_expect_failure SUDO 'sudo git status as original owner' ' ++test_expect_success SUDO 'sudo git status as original owner' ' + ( + cd root/r && + git status && 2: d05e886d394 < -: ----------- Documentation: explain how safe.directory works when running under sudo 3: 10ec03d71e4 < -: ----------- t: add tests for safe.directory when running with sudo -: ----------- > 3: 98aae872efd t0034: enhance framework to allow testing more commands under sudo -- 2.36.0.352.g0cd7feaf86f