Re: Local git server can't serve https until repos owned by http, can't serve ssh unless repos owned by user after 2.45.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Michal

On 25/06/2024 19:34, Michal Suchánek wrote:

Adding the repository to the list of safe repositories is a known
concept that was already required for gitweb and for working with the
repository locally, and applying it to git-daemon as well is consistent
although it does require configuration changes for some users.

The real problem here is that adding the repository to the list of safe
repositories does not make it possible to serve it by git-daemon.

That is indeed unexpected. I set up git-daemon on my laptop this morning and in order to get it to work one has to add "." as well as the repository paths one wants to serve to the list of safe directories. Clearly that is undesirable and does not really feel any safer that using "safe.directory=*". What is happening is that git-daemon checks that the repository path is listed as safe and then changes into that directory and forks

	git upload-pack --strict .

"git upload-pack" then checks "." against the list of safe directories which fails. It fails because the safe directory check does not do any normalization such as cleaning up "//" elements (as seen in your example) or expanding relative paths on $git_dir before checking it against the list of safe directories.

I think the fix is probably to make the safe directory check use the absolute path of $git_dir. In the mean time there is a workaround if you're happy to add "." to the list of safe directories.

Best Wishes

Phillip


Thanks

Michal



Michal Suchánek <msuchanek@xxxxxxx> writes:

On Mon, Jun 17, 2024 at 11:15:13PM +0200, Michal Suchánek wrote:
Hello,

On Mon, Jun 17, 2024 at 11:47:20AM -0700, Junio C Hamano wrote:
"David C. Rankin" <drankinatty@xxxxxxxxx> writes:

   Security enhancement in 2.45.1 have broken ability to serve git over
   https and ssh from local git server running Apache. (web server runs
   as http:http on Archlinux)

   The fix of adding the following to gitconfig (system-wide and
   per-user in ~/.gitconfig) does not solve the problem:

[safe]
	directory = *

It is not clear what you exactly meant "per-user" above, so just to
make sure.  Is this set in the global configuration file for the
httpd (or whoever Apache runs as) user?

The purpose of "dubious ownershop" thing is to protect the user who
runs Git from random repositories' with potentially malicious hooks
and configuration files, so the user being protected (in this case,
whoever Apache runs as) needs to declare "I trust these
repositories" in its ~/.gitconfig file.  What individual owners of
/srv/my-repo.git/ project has in their ~/.gitconfig file does not
matter when deciding if Apache trusts these repositories.


looks like the semantic of 'dubious ownershop' changed recently.

Disro backport of fixes for CVE-2024-32002 CVE-2024-32004 CVE-2024-32020
CVE-2024-32021 CVE-2024-32465 to 2.35.3 broke git-daemon. No amount of
whitelisting makes the 'fixed' git serve the repository.

Same regression between 2.45.0 and 2.45.2 which allegedly fixes the
same CVEs.

Looks like downgrading to gaping hole version is needed to serve repositories
in general.

Please consider adjusting the fix so that repositories can still be served.

Thanks

Michal

To reproduce:

cat /usr/local/bin/git-ping
#!/bin/sh -e

# Try connecting to one or more remote repository URLs

while true ; do
         git ls-remote -h "$1" >/dev/null
         shift
         [ -n "$1" ] || break
done

mkdir -p /srv/git/some
chown hramrach /srv/git/some
su hramrach -c "git init --bare /srv/git/some/repo.git"
su hramrach -c "touch /srv/git/some/repo.git/git-daemon-export-ok"
version=2.35.3-150300.10.36.1 ; zypper in --oldpackage git-core-$version git-daemon-$version
systemctl start git-daemon.service
git ping git://localhost/some/repo.git
<nothing>

version=2.35.3-150300.10.39.1 ; zypper in --oldpackage git-core-$version git-daemon-$version
systemctl restart git-daemon.service
git ping git://localhost/some/repo.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.


systemctl status git-daemon.service
● git-daemon.service - Git Daemon
      Loaded: loaded (/usr/lib/systemd/system/git-daemon.service; disabled; vendor preset: disabled)
      Active: active (running) since Thu 2024-06-06 08:29:28 CEST; 6min ago
    Main PID: 31742 (git)
       Tasks: 2 (limit: 4915)
      CGroup: /system.slice/git-daemon.service
              ├─ 31742 git daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup
              └─ 31749 /usr/lib/git/git-daemon --reuseaddr --base-path=/srv/git/ --user=git-daemon --group=nogroup

Jun 06 08:29:28 localhost.localdomain systemd[1]: Started Git Daemon.
Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: fatal: detected dubious ownership in repository at '/srv/git//some/repo.git'
Jun 06 08:29:39 localhost.localdomain git-daemon[31756]: To add an exception for this directory, call:
Jun 06 08:29:39 localhost.localdomain git-daemon[31756]:         git config --global --add safe.directory /srv/git//some/repo.git

git config --global --add safe.directory /srv/git//some/repo.git
mv ~/.gitconfig /etc/gitconfig
git ping git://localhost/some/repo.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

git config --global --add safe.directory /srv/git/some/repo.git
mv ~/.gitconfig /etc/gitconfig
git ping git://localhost/some/repo.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.






[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux