Junio C Hamano <gitster@xxxxxxxxx> writes: > I like the GIT_TEST_ASSUME_DIFFERENT_OWNER because it is fairly > clear that it cannot be used as a new attack vector, even with > social engineering. > > It would be nice if we can do something similar, but I am coming up > empty while trying to think of "we are testing; pretend that ..." > that is good for testing this SUDO_UID special case *and* clearly > cannot be used as an attack target. > > So I very much like the suggestion in principle, but I am not sure > how useful the suggestion would be to make the resulting code better > in practice. > ... The worst part is that the SUDO_UID stuff is about _loosening_ the protection the other parts of the mechanism implements. We do not allow access when euid does not match st_uid, but with SUDO_UID, we instead use that for checking when euid is root. So setting for testing such a feature works to loosen the protection, which would make the attack surface larger. So I am not so optimistic that we can invent a GIT_TEST_* knob as good as ASSUME_DIFFERENT_OWNER for that. Thanks.
