On Thu, Mar 06, 2014 at 10:47:43PM +0100, Julian Brost wrote:

> I've noticed some behavior of git that might lead to some security
> issues if the user is not aware of this.
> Assume we have an evil user on a system, let's call him eve. He
> prepares a repository where he allows other user to push changes to.
> If he now adds a post-receive hook, git will happly execute it as
> whatever user pushes to this repository:

Yes, this is a well-known issue. The only safe operation on a repository
for which somebody else controls hooks and config is to fetch from it
(upload-pack on the remote repository does not respect any dangerous
config or hooks).

> Something similiar might happen if eve adds some alias to the config
> file in the repository and grants any other user read access to the
> repository. These aliases will be executed when some other user is
> running any git command in this repository. Even though git does not
> allow defining aliases for existing commands, you might mistype
> something, so adding an alias for "lg" instead of "log" might succeed:

Much easier is to define an external diff or textconv tool; then the
victim does not even have to typo.

> I'd suggest taking a similar approach as Mercurial [1], i.e. ignoring
> configuration files and hooks owned by another user unless the owner
> is explicitly trusted

It has been discussed, but nobody has produced patches. I think that
nobody is really interested in doing so because:

  1. It introduces complications into previously-working setups (e.g., a
     daemon running as "nobody" serving repos owned by a "git" user
     needs to mark "git" as trusted).

  2. In most cases, cross-server boundaries provide sufficient
     insulation (e.g., I might not push to an evil person's repo, but rather
     to a shared repo whose hooks and config are controlled by root on
     the remote server).

If you want to work on it, I think it's an interesting area. But any
development would need to think about the transition plan for existing
sites that will be broken.

At the very least, the current trust model could stand to be documented
much better (I do not think the rule of "fetching is safe, everything
else is not" is mentioned anywhere explicitly).

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to