Carlo Arenas <carenas@xxxxxxxxx> writes: > On Fri, May 6, 2022 at 1:00 PM Junio C Hamano <gitster@xxxxxxxxx> wrote: >> >> Carlo Arenas <carenas@xxxxxxxxx> writes: >> >> > which is also why we can't use it, any possibly bogus or suspicious >> > value we get from SUDO_UID MUST be ignored. >> >> I do not think I agree. If we have a strange value in SUDO_UID, it >> would be much better and safer to err on the safe side. > > ignoring it is the safe side; for example if we replace the current > function with the proposed one then some user lucky enough to have > access to the latest linux supercomputer that has been patched to have > a 64-bit uid_t (because who makes 32-bit supercomputers nowadays) > would get root[1] access by simply faking his SUDO_UID to be UINT_MAX > + 1. Since we do not pay attention to SUDO_UID unless euid is root, anybody who can attack by faking SUDO_UID to affect what Git does can already become root on the box. So such an attacker would already have root access without our help, or they would not. In any case, if we notice that SUDO_UID is not a valid number and die(), we deny the access anyway, so there is no need to write more code to ignore.
