Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.36.2 2022-06-23T10:36:12Z 2022-06-23T10:36:12Z Johannes Schindelin johannes.schindelin@gmx.de 2022-06-23T10:36:12Z urn:sha1:8f8eea8c3aba154ce1f9eaab4fa06c73b60550dc * maint-2.35: Git 2.35.4 Git 2.34.4 Git 2.33.4 Git 2.32.3 Git 2.31.4 Git 2.30.5 setup: tighten ownership checks post CVE-2022-24765 git-compat-util: allow root to access both SUDO_UID and root owned t0034: add negative tests and allow git init to mostly work under sudo git-compat-util: avoid failing dir ownership checks if running privileged t: regression git needs safe.directory when using sudo 2022-06-23T10:36:03Z Johannes Schindelin johannes.schindelin@gmx.de 2022-06-23T10:36:03Z urn:sha1:aef3d5948c5b00a0409e117da7e720f574040505 * maint-2.34: Git 2.34.4 Git 2.33.4 Git 2.32.3 Git 2.31.4 Git 2.30.5 setup: tighten ownership checks post CVE-2022-24765 git-compat-util: allow root to access both SUDO_UID and root owned t0034: add negative tests and allow git init to mostly work under sudo git-compat-util: avoid failing dir ownership checks if running privileged t: regression git needs safe.directory when using sudo 2022-06-23T10:35:38Z Johannes Schindelin johannes.schindelin@gmx.de 2022-06-23T10:35:38Z urn:sha1:eebfde3f213e2990727a64da0d7d04ad961a28b0 * maint-2.32: Git 2.32.3 Git 2.31.4 Git 2.30.5 setup: tighten ownership checks post CVE-2022-24765 git-compat-util: allow root to access both SUDO_UID and root owned t0034: add negative tests and allow git init to mostly work under sudo git-compat-util: avoid failing dir ownership checks if running privileged t: regression git needs safe.directory when using sudo 2022-06-23T10:35:30Z Johannes Schindelin johannes.schindelin@gmx.de 2022-06-23T10:35:30Z urn:sha1:fc0c773028685cdbae35c6c71f3fd3b87ab70985 * maint-2.31: Git 2.31.4 Git 2.30.5 setup: tighten ownership checks post CVE-2022-24765 git-compat-util: allow root to access both SUDO_UID and root owned t0034: add negative tests and allow git init to mostly work under sudo git-compat-util: avoid failing dir ownership checks if running privileged t: regression git needs safe.directory when using sudo 2022-06-23T10:31:05Z Carlo Marcelo Arenas Belón carenas@gmail.com 2022-05-10T19:35:29Z urn:sha1:3b0bf2704980b1ed6018622bdf5377ec22289688 8959555cee7 (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02), adds a function to check for ownership of repositories using a directory that is representative of it, and ways to add exempt a specific repository from said check if needed, but that check didn't account for owership of the gitdir, or (when used) the gitfile that points to that gitdir. An attacker could create a git repository in a directory that they can write into but that is owned by the victim to work around the fix that was introduced with CVE-2022-24765 to potentially run code as the victim. An example that could result in privilege escalation to root in *NIX would be to set a repository in a shared tmp directory by doing (for example): $ git -C /tmp init To avoid that, extend the ensure_valid_ownership function to be able to check for all three paths. This will have the side effect of tripling the number of stat() calls when a repository is detected, but the effect is expected to be likely minimal, as it is done only once during the directory walk in which Git looks for a repository. Additionally make sure to resolve the gitfile (if one was used) to find the relevant gitdir for checking. While at it change the message printed on failure so it is clear we are referring to the repository by its worktree (or gitdir if it is bare) and not to a specific directory. Helped-by: Junio C Hamano <junio@pobox.com> Helped-by: Johannes Schindelin <Johannes.Schindelin@gmx.de> Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> 2022-04-13T22:26:32Z Junio C Hamano gitster@pobox.com 2022-04-13T22:26:32Z urn:sha1:1ac7422e39b0043250b026f9988d0da24cb2cb58 2022-04-13T22:21:34Z Junio C Hamano gitster@pobox.com 2022-04-13T22:21:34Z urn:sha1:d516b2db0af2221bd6b13e7347abdcb5830b2829 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T22:21:28Z Junio C Hamano gitster@pobox.com 2022-04-13T22:21:28Z urn:sha1:1f65dd6ae635f77c588ac432cad1a299723d00d6 Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T22:21:26Z Junio C Hamano gitster@pobox.com 2022-04-13T22:21:26Z urn:sha1:15304344342b7c888f732d28f908890d874bcb0c Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-04-13T19:42:51Z Derrick Stolee derrickstolee@github.com 2022-04-13T15:32:31Z urn:sha1:0f85c4a30b072a26d74af8bbf63cc8f6a5dfc1b8 With the addition of the safe.directory in 8959555ce (setup_git_directory(): add an owner check for the top-level directory, 2022-03-02) released in v2.35.2, we are receiving feedback from a variety of users about the feature. Some users have a very large list of shared repositories and find it cumbersome to add this config for every one of them. In a more difficult case, certain workflows involve running Git commands within containers. The container boundary prevents any global or system config from communicating `safe.directory` values from the host into the container. Further, the container almost always runs as a different user than the owner of the directory in the host. To simplify the reactions necessary for these users, extend the definition of the safe.directory config value to include a possible '*' value. This value implies that all directories are safe, providing a single setting to opt-out of this protection. Note that an empty assignment of safe.directory clears all previous values, and this is already the case with the "if (!value || !*value)" condition. Signed-off-by: Derrick Stolee <derrickstolee@github.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>