From ae9abbb63eea74441e3e8b153dc6ec1f94c373b4 Mon Sep 17 00:00:00 2001 From: Carlo Marcelo Arenas Belón Date: Thu, 12 May 2022 18:00:18 -0700 Subject: git-compat-util: avoid failing dir ownership checks if running privileged MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit bdc77d1d685 (Add a function to determine whether a path is owned by the current user, 2022-03-02) checks for the effective uid of the running process using geteuid() but didn't account for cases where that user was root (because git was invoked through sudo or a compatible tool) and the original uid that repository trusted for its config was no longer known, therefore failing the following otherwise safe call: guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty [sudo] password for guy: fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else) Attempt to detect those cases by using the environment variables that those tools create to keep track of the original user id, and do the ownership check using that instead. This assumes the environment the user is running on after going privileged can't be tampered with, and also adds code to restrict that the new behavior only applies if running as root, therefore keeping the most common case, which runs unprivileged, from changing, but because of that, it will miss cases where sudo (or an equivalent) was used to change to another unprivileged user or where the equivalent tool used to raise privileges didn't track the original id in a sudo compatible way. Because of compatibility with sudo, the code assumes that uid_t is an unsigned integer type (which is not required by the standard) but is used that way in their codebase to generate SUDO_UID. In systems where uid_t is signed, sudo might be also patched to NOT be unsigned and that might be able to trigger an edge case and a bug (as described in the code), but it is considered unlikely to happen and even if it does, the code would just mostly fail safely, so there was no attempt either to detect it or prevent it by the code, which is something that might change in the future, based on expected user feedback. Reported-by: Guy Maurel Helped-by: SZEDER Gábor Helped-by: Randall Becker Helped-by: Phillip Wood Suggested-by: Johannes Schindelin Signed-off-by: Carlo Marcelo Arenas Belón Signed-off-by: Junio C Hamano --- Documentation/config/safe.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'Documentation') diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index 6d764fe0cc..c6ebd1674d 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -26,3 +26,16 @@ directory was listed in the `safe.directory` list. If `safe.directory=*` is set in system config and you want to re-enable this protection, then initialize your list with an empty value before listing the repositories that you deem safe. ++ +As explained, Git only allows you to access repositories owned by +yourself, i.e. the user who is running Git, by default. When Git +is running as 'root' in a non Windows platform that provides sudo, + however, git checks the SUDO_UID environment variable that sudo creates +and will allow access to the uid recorded as its value instead. +This is to make it easy to perform a common sequence during installation +"make && sudo make install". A git process running under 'sudo' runs as +'root' but the 'sudo' command exports the environment variable to record +which id the original user has. +If that is not what you would prefer and want git to only trust +repositories that are owned by root instead, then you must remove +the `SUDO_UID` variable from root's environment before invoking git. -- cgit v1.3 From 6b11e3d52e919cce91011f4f9025e6f4b61375f2 Mon Sep 17 00:00:00 2001 From: Carlo Marcelo Arenas Belón Date: Fri, 17 Jun 2022 13:23:38 -0700 Subject: git-compat-util: allow root to access both SUDO_UID and root owned MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous changes introduced a regression which will prevent root for accessing repositories owned by thyself if using sudo because SUDO_UID takes precedence. Loosen that restriction by allowing root to access repositories owned by both uid by default and without having to add a safe.directory exception. A previous workaround that was documented in the tests is no longer needed so it has been removed together with its specially crafted prerequisite. Helped-by: Johanness Schindelin Signed-off-by: Carlo Marcelo Arenas Belón Signed-off-by: Junio C Hamano --- Documentation/config/safe.txt | 7 ++++--- git-compat-util.h | 7 ++++++- t/t0034-root-safe-directory.sh | 15 +-------------- 3 files changed, 11 insertions(+), 18 deletions(-) (limited to 'Documentation') diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index c6ebd1674d..74627c5e7c 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -30,12 +30,13 @@ that you deem safe. As explained, Git only allows you to access repositories owned by yourself, i.e. the user who is running Git, by default. When Git is running as 'root' in a non Windows platform that provides sudo, - however, git checks the SUDO_UID environment variable that sudo creates -and will allow access to the uid recorded as its value instead. +however, git checks the SUDO_UID environment variable that sudo creates +and will allow access to the uid recorded as its value in addition to +the id from 'root'. This is to make it easy to perform a common sequence during installation "make && sudo make install". A git process running under 'sudo' runs as 'root' but the 'sudo' command exports the environment variable to record which id the original user has. If that is not what you would prefer and want git to only trust -repositories that are owned by root instead, then you must remove +repositories that are owned by root instead, then you can remove the `SUDO_UID` variable from root's environment before invoking git. diff --git a/git-compat-util.h b/git-compat-util.h index e7cbfa65c9..f505f817d5 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -447,7 +447,12 @@ static inline int is_path_owned_by_current_uid(const char *path) euid = geteuid(); if (euid == ROOT_UID) - extract_id_from_env("SUDO_UID", &euid); + { + if (st.st_uid == ROOT_UID) + return 1; + else + extract_id_from_env("SUDO_UID", &euid); + } return st.st_uid == euid; } diff --git a/t/t0034-root-safe-directory.sh b/t/t0034-root-safe-directory.sh index a621f1ea5e..ff31176128 100755 --- a/t/t0034-root-safe-directory.sh +++ b/t/t0034-root-safe-directory.sh @@ -68,7 +68,7 @@ test_expect_success 'can access if addressed explicitly' ' ) ' -test_expect_failure SUDO 'can access with sudo if root' ' +test_expect_success SUDO 'can access with sudo if root' ' ( cd root/p && sudo git status @@ -85,19 +85,6 @@ test_expect_success SUDO 'can access with sudo if root by removing SUDO_UID' ' ) ' -test_lazy_prereq SUDO_SUDO ' - sudo sudo id -u >u && - id -u root >r && - test_cmp u r -' - -test_expect_success SUDO_SUDO 'can access with sudo abusing SUDO_UID' ' - ( - cd root/p && - sudo sudo git status - ) -' - # this MUST be always the last test test_expect_success SUDO 'cleanup' ' sudo rm -rf root -- cgit v1.3 From 88b7be68a4bf9f39b84ed438d8d776c0d752b316 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Fri, 27 May 2022 23:38:36 +0200 Subject: Git 2.30.5 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.30.5.txt | 12 ++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.30.5.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.30.5.txt b/Documentation/RelNotes/2.30.5.txt new file mode 100644 index 0000000000..5191cab3ae --- /dev/null +++ b/Documentation/RelNotes/2.30.5.txt @@ -0,0 +1,12 @@ +Git v2.30.5 Release Notes +========================= + +This release contains minor fix-ups for the changes that went into +Git 2.30.3 and 2.30.4, addressing CVE-2022-29187. + + * The safety check that verifies a safe ownership of the Git + worktree is now extended to also cover the ownership of the Git + directory (and the `.git` file, if there is any). + +Carlo Marcelo Arenas Belón (1): + setup: tighten ownership checks post CVE-2022-24765 diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index a927c77478..39d0c99da6 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.30.4 +DEF_VER=v2.30.5 LF=' ' diff --git a/RelNotes b/RelNotes index 4dcee84642..406d23844b 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.30.4.txt \ No newline at end of file +Documentation/RelNotes/2.30.5.txt \ No newline at end of file -- cgit v1.3 From 5b1c746c352e85211770e5cbd26a433b3affd3b4 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:25 +0200 Subject: Git 2.31.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.31.4.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.31.4.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.31.4.txt b/Documentation/RelNotes/2.31.4.txt new file mode 100644 index 0000000000..97a91fd07a --- /dev/null +++ b/Documentation/RelNotes/2.31.4.txt @@ -0,0 +1,6 @@ +Git v2.31.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5 to address +the security issue CVE-2022-29187; see the release notes for that +version for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index da853679b7..2126fe83f8 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.31.3 +DEF_VER=v2.31.4 LF=' ' diff --git a/RelNotes b/RelNotes index c3d6893a92..7ef30395e1 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.31.3.txt \ No newline at end of file +Documentation/RelNotes/2.31.4.txt \ No newline at end of file -- cgit v1.3 From 656d9a24f624039831bc2e865f4cc42f393caf70 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:32 +0200 Subject: Git 2.32.3 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.32.3.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.32.3.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.32.3.txt b/Documentation/RelNotes/2.32.3.txt new file mode 100644 index 0000000000..583fabe684 --- /dev/null +++ b/Documentation/RelNotes/2.32.3.txt @@ -0,0 +1,6 @@ +Git v2.32.3 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5 and +v2.31.4 to address the security issue CVE-2022-29187; see the +release notes for these versions for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index e7efe58866..c8237bb5e9 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.32.2 +DEF_VER=v2.32.3 LF=' ' diff --git a/RelNotes b/RelNotes index 4ac68388c3..3bfb2b6297 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.32.2.txt \ No newline at end of file +Documentation/RelNotes/2.32.3.txt \ No newline at end of file -- cgit v1.3 From 80c525c4acaf6072697d4bd2a3a5137f91665b55 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:41 +0200 Subject: Git 2.33.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.33.4.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.33.4.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.33.4.txt b/Documentation/RelNotes/2.33.4.txt new file mode 100644 index 0000000000..a145cc25de --- /dev/null +++ b/Documentation/RelNotes/2.33.4.txt @@ -0,0 +1,6 @@ +Git v2.33.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5, v2.31.4 +and v2.32.3 to address the security issue CVE-2022-29187; see +the release notes for these versions for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 86a3a2870c..473746835b 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.33.3 +DEF_VER=v2.33.4 LF=' ' diff --git a/RelNotes b/RelNotes index 899139d9ec..6cb6ec27dc 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.33.3.txt \ No newline at end of file +Documentation/RelNotes/2.33.4.txt \ No newline at end of file -- cgit v1.3 From f2eed22852b0a21556f0c9f56732913eba553e62 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Thu, 23 Jun 2022 12:35:49 +0200 Subject: Git 2.34.4 Signed-off-by: Johannes Schindelin --- Documentation/RelNotes/2.34.4.txt | 6 ++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.34.4.txt (limited to 'Documentation') diff --git a/Documentation/RelNotes/2.34.4.txt b/Documentation/RelNotes/2.34.4.txt new file mode 100644 index 0000000000..2a6b223403 --- /dev/null +++ b/Documentation/RelNotes/2.34.4.txt @@ -0,0 +1,6 @@ +Git v2.34.4 Release Notes +========================= + +This release merges up the fixes that appear in v2.30.5, v2.31.4, +v2.32.3 and v2.33.4 to address the security issue CVE-2022-29187; +see the release notes for these versions for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 3ae76105c8..9e2cf5d43d 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.34.3 +DEF_VER=v2.34.4 LF=' ' diff --git a/RelNotes b/RelNotes index 1065723912..9041e1b0fe 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.34.3.txt \ No newline at end of file +Documentation/RelNotes/2.34.4.txt \ No newline at end of file -- cgit v1.3