Hello, On Tue, Jun 25, 2024 at 09:12:38AM -0700, Junio C Hamano wrote: > Dscho, the f4aa8c8b (fetch/clone: detect dubious ownership of local > repositories, 2024-04-10) is your brainchild and people seem to be > unhappy about having to adjust their settings. Are there any advice > you can offer them? while I am somewhat unhappy about the need to adjust settings this is not really about that. It is undesirable to implement breaking changes, especially in point release. At the same time it's sometimes necessary, and if the change is announced, documented, and actually works it can be acceptable. Here git-daemon requests that repository be added to list of safe repositories to be able to serve it. Clearly this is a security requirement. A user that has write access to a repository can touch the export-ok file, and then the daemon would potentially serve the repository under some circumstances, potentially exposing the system administrator to some other things that the user did to the repository. Adding the repository to the list of safe repositories is a known concept that was already required for gitweb and for working with the repository locally, and applying it to git-daemon as well is consistent although it does require configuration changes for some users. The real problem here is that adding the repository to the list of safe repositories does not make it possible to serve it by git-daemon. Thanks Michal > > Michal Suchánek <msuchanek@xxxxxxx> writes: > > > On Mon, Jun 17, 2024 at 11:15:13PM +0200, Michal Suchánek wrote: > >> Hello, > >> > >> On Mon, Jun 17, 2024 at 11:47:20AM -0700, Junio C Hamano wrote: > >> > "David C. Rankin" <drankinatty@xxxxxxxxx> writes: > >> > > >> > > Security enhancement in 2.45.1 have broken ability to serve git over > >> > > https and ssh from local git server running Apache. (web server runs > >> > > as http:http on Archlinux) > >> > > > >> > > The fix of adding the following to gitconfig (system-wide and > >> > > per-user in ~/.gitconfig) does not solve the problem: > >> > > > >> > > [safe] > >> > > directory = * > >> > > >> > It is not clear what you exactly meant "per-user" above, so just to > >> > make sure. Is this set in the global configuration file for the > >> > httpd (or whoever Apache runs as) user? > >> > > >> > The purpose of "dubious ownershop" thing is to protect the user who > >> > runs Git from random repositories' with potentially malicious hooks > >> > and configuration files, so the user being protected (in this case, > >> > whoever Apache runs as) needs to declare "I trust these > >> > repositories" in its ~/.gitconfig file. What individual owners of > >> > /srv/my-repo.git/ project has in their ~/.gitconfig file does not > >> > matter when deciding if Apache trusts these repositories. > >> > >> > >> looks like the semantic of 'dubious ownershop' changed recently. > >> > >> Disro backport of fixes for CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 > >> CVE-2024-32021 CVE-2024-32465 to 2.35.3 broke git-daemon. No amount of > >> whitelisting makes the 'fixed' git serve the repository. > > > > Same regression between 2.45.0 and 2.45.2 which allegedly fixes the > > same CVEs. > > > > Looks like downgrading to gaping hole version is needed to serve repositories > > in general. > > > > Please consider adjusting the fix so that repositories can still be served. > > > > Thanks > > > > Michal > > > > To reproduce: > > > > cat /usr/local/bin/git-ping > > #!/bin/sh -e > > > > # Try connecting to one or more remote repository URLs > > > > while true ; do > > git ls-remote -h "$1" >/dev/null > > shift > > [ -n "$1" ] || break > > done > > > > mkdir -p /srv/git/some > > chown hramrach /srv/git/some > > su hramrach -c "git init --bare /srv/git/some/repo.git" > > su hramrach -c "touch /srv/git/some/repo.git/git-daemon-export-ok" > > version=2.35.3-150300.10.36.1 ; zypper in --oldpackage git-core-$version git-daemon-$version > > systemctl start git-daemon.service > > git ping git://localhost/some/repo.git > > <nothing> > > > > version=2.35.3-150300.10.39.1 ; zypper in --oldpackage git-core-$version git-daemon-$version > > systemctl restart git-daemon.service > > git ping git://localhost/some/repo.git > > fatal: Could not read from remote repository. > > > > Please make sure you have the correct access rights > > and the repository exists. > > > > > > systemctl status git-daemon.service > > ● git-daemon.service - Git Daemon > > Loaded: loaded (/usr/lib/systemd/system/git-daemon.service; disabled; vendor preset: disabled) > > Active: active (running) since Thu 2024-06-06 08:29:28 CEST; 6min ago > > Main PID: 31742 (git) > > Tasks: 2 (limit: 4915) > > CGroup: /system.slice/git-daemon.service > > ├─ 31742 git daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup > > └─ 31749 /usr/lib/git/git-daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup > > > > Jun 06 08:29:28 localhost.localdomain systemd[1]: Started Git Daemon. > > Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: fatal: detected dubious ownership in repository at '/srv/git//some/repo.git' > > Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: To add an exception for this directory, call: > > Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: git config --global --add safe.directory /srv/git//some/repo.git > > > > git config --global --add safe.directory /srv/git//some/repo.git > > mv ~/.gitconfig /etc/gitconfig > > git ping git://localhost/some/repo.git > > fatal: Could not read from remote repository. > > > > Please make sure you have the correct access rights > > and the repository exists. > > > > git config --global --add safe.directory /srv/git/some/repo.git > > mv ~/.gitconfig /etc/gitconfig > > git ping git://localhost/some/repo.git > > fatal: Could not read from remote repository. > > > > Please make sure you have the correct access rights > > and the repository exists.
