From patchwork Tue May 3 06:54:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= X-Patchwork-Id: 12835110 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEF3AC433EF for ; Tue, 3 May 2022 06:55:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230377AbiECG70 (ORCPT ); Tue, 3 May 2022 02:59:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231194AbiECG61 (ORCPT ); Tue, 3 May 2022 02:58:27 -0400 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58EED19C1B for ; Mon, 2 May 2022 23:54:56 -0700 (PDT) Received: by mail-qt1-x831.google.com with SMTP id hf18so12773752qtb.0 for ; Mon, 02 May 2022 23:54:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+3IjwABSO6B2aNfrvSEj/mrf8+cKqhnN3GxrN+/ZtnU=; b=Hzfo+Gbk7fIcJZAuv+LfDNNcRjm8xXO1TOQGTRcB7PS41TAZCW+m88A1L2FvMMIgGf 1fjMwjR4qgqPLDBjvEsXV6lIUDO1RWhvTR3lgfDxTn5U7dd566ehaSEJvSFEaRqSChb1 djxW9nrl0q2l5NuqU3RFWK+3PzWq1SNmQ0qlwYxC/vXlMg4EKZJzvQTs723bcMBoikCE 1H65Og/R+P9xjr6CuGnag07ZtVtwFM/3JRupV3txHlhZxtNvI244GiaIQI9CtvXrUnLj 1hdGGdB17WYRxFORVq3P2KP8V4crjHq7oWLmj8VJXluQILUsJG7baHsilmBZdSx3W/2I p7Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+3IjwABSO6B2aNfrvSEj/mrf8+cKqhnN3GxrN+/ZtnU=; b=gBZsrLkpsGdp43gCJ8eBWbtKQJoNKuLos21xetWIUPJZq5O3u+giJCxjc/I9aElaNT +fXUWPDTf0jcLUfda+ZR8Hk4Q9lC+GMwRpkxNpj+0+fXlF5hX6PoOFeHP0ESgZDCHoMD IO5cRvfgzFCPZDmxkZW85uuGylu6mlEaBeZfiA/obF2uXKZQiudGhQ1ovGHMitnxo3o4 f757yKZYXGo+Q0+xnVq6tsK2Ulq9gs2QSWOM5Kv/1nyd0TawKFt20FH6rR6GNvFHR/fu x0o1UCVoq4K5DZ4v6rgwS/OftWm8nqK5bmkChbEwQ3erICWvMEVaaz/Uz2WZqUm7hu54 0hTQ== X-Gm-Message-State: AOAM533ta3s9KscyVl5ShhFK1FgbBmMfaILOBFbTnPfXf55POvILSNua E05Q+/OiHkVfSisTrPya7A/ECH1WwkQ= X-Google-Smtp-Source: ABdhPJyeuKM9VAOHj0NQYgFfXixKpW2+xK36D785OZj8JuBUQg1kh6jbz83HIhKrbc5Hn47RdmAPKQ== X-Received: by 2002:a05:622a:1c5:b0:2f3:a570:a97b with SMTP id t5-20020a05622a01c500b002f3a570a97bmr7396637qtw.462.1651560895173; Mon, 02 May 2022 23:54:55 -0700 (PDT) Received: from carlos-mbp.lan (104-1-92-200.lightspeed.sntcca.sbcglobal.net. [104.1.92.200]) by smtp.gmail.com with ESMTPSA id t1-20020ac85301000000b002f39b99f68bsm5333369qtn.37.2022.05.02.23.54.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 May 2022 23:54:54 -0700 (PDT) From: =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= To: git@vger.kernel.org Cc: gitster@pobox.com, bagasdotme@gmail.com, phillip.wood123@gmail.com, =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= , =?utf-8?q?SZEDER_G=C3=A1bor?= Subject: [PATCH v3 1/3] t: document regression git safe.directory when using sudo Date: Mon, 2 May 2022 23:54:40 -0700 Message-Id: <20220503065442.95699-2-carenas@gmail.com> X-Mailer: git-send-email 2.36.0.352.g0cd7feaf86f In-Reply-To: <20220503065442.95699-1-carenas@gmail.com> References: <20220428105852.94449-1-carenas@gmail.com> <20220503065442.95699-1-carenas@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Originally reported after release of v2.35.2 (and other maint branches) for CVE-2022-24765 and blocking otherwise harmless commands that were done using sudo in a repository that was owned by the user. Add a new test script with very basic support to allow running git commands through sudo, so a reproduction could be implemented and that uses only `git status` as a proxy of the issue reported. Note that because of the way sudo interacts with the system, a much more complete integration with the test framework will require a lot more work and that was therefore intentionally punted for now. The current implementation requires the execution of a special cleanup function which should always be kept as the last "test" or otherwise the standard cleanup functions will fail because they can't remove the root owned directories that are used. This also means that if failures are found while running the specifics of the failure might not be kept for further debugging and if the test was interrupted, it will be necessary to clean the working directory manually before restarting by running: $ sudo rm -rf trash\ directory.t0034-root-safe-directory/ The test file also uses at least one initial "setup" test that creates a parallel execution directory, while ignoring the repository created by the test framework, and special care should be taken when invoking commands through sudo, since the environment is otherwise independent from what the test framework expects. Indeed `git status` was used as a proxy because it doesn't even require commits in the repository to work. A new SUDO prerequisite is provided that does some sanity checking to make sure the sudo command that will be used allows for passwordless execution as root and doesn't mess with git execution paths, but otherwise additional work will be required to ensure additional commands behave as expected and that will be addressed in a later patch. Most of those characteristics make this test mostly suitable only for CI, but it could be executed locally if special care is taken to provide for some of them in the local configuration and maybe making use of the sudo credential cache by first invoking sudo, entering your password if needed, and then invoking the test by doing: $ IKNOWWHATIAMDOING=YES ./t0034-root-safe-directory.sh Reported-by: SZEDER Gábor Signed-off-by: Carlo Marcelo Arenas Belón --- t/t0034-root-safe-directory.sh | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100755 t/t0034-root-safe-directory.sh diff --git a/t/t0034-root-safe-directory.sh b/t/t0034-root-safe-directory.sh new file mode 100755 index 00000000000..6dac7a05cfd --- /dev/null +++ b/t/t0034-root-safe-directory.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +test_description='verify safe.directory checks while running as root' + +. ./test-lib.sh + +if [ "$IKNOWWHATIAMDOING" != "YES" ] +then + skip_all="You must set env var IKNOWWHATIAMDOING=YES in order to run this test" + test_done +fi + +# this prerequisite should be added to all the tests, it not only prevents +# the test from failing but also warms up any authentication cache sudo +# might need to avoid asking for a password +test_lazy_prereq SUDO ' + sudo -n id -u >u && + id -u root >r && + test_cmp u r && + command -v git >u && + sudo command -v git >r && + test_cmp u r +' + +test_expect_success SUDO 'setup' ' + sudo rm -rf root && + mkdir -p root/r && + sudo chown root root && + ( + cd root/r && + git init + ) +' + +test_expect_failure SUDO 'sudo git status as original owner' ' + ( + cd root/r && + git status && + sudo git status + ) +' + +# this MUST be always the last test, if used more than once, the next +# test should do a full setup again. +test_expect_success SUDO 'cleanup' ' + sudo rm -rf root +' + +test_done From patchwork Tue May 3 06:54:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= X-Patchwork-Id: 12835108 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EED61C433FE for ; Tue, 3 May 2022 06:55:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229961AbiECG7U (ORCPT ); Tue, 3 May 2022 02:59:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231418AbiECG6a (ORCPT ); Tue, 3 May 2022 02:58:30 -0400 Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A10F1A05B for ; Mon, 2 May 2022 23:54:57 -0700 (PDT) Received: by mail-qk1-x734.google.com with SMTP id w3so5173115qkb.3 for ; Mon, 02 May 2022 23:54:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=TdkODzDz7C3MT33wHM+co2RvRfx2H18qd5gbcXTvPYY=; b=je/ZlcMvHjnSxetT9dzEbXRc7mDwz43iS9DxWOI+sQPl83yvzM4Im7mnaSi51QyXvK WpK2Gx3aLA9d/rYsVJ54uYgiQfpSaj5y4fvjNS0L8UDLdwmWPiIcsHAkIJGz/b9L5Rrp Ld612WC9lN2hlZcHtKqUic+pd/khEz5w1BxzAVBlSRo0H9uusoRsJ8ScJGpLl7qKy/kG ldPjGLx34Wr7B8EQm4dncplXrIkw5ben+kMzctEDYRCJC0GXrR5VdzmP1u51F4sQY3+x gpQj5jhYzmpNGXonlXGcljzDRhFd69Y11d6Voq3kxp/6oOPnYVB5qQCH+sCmJwsv5zw5 Y8zQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=TdkODzDz7C3MT33wHM+co2RvRfx2H18qd5gbcXTvPYY=; b=Rqd8krmQ0y2dX8ySyr3rNZLtDr50fUjTq2FtG6yPfH6tkQf3/yDoDJeYdgAfZwaIsq mabjIQo7rkSdgY+9A9FSgRjHor/A8RRU4LnAyYr4PF+vq1kf7GzP55HKU9nvIMWt5Cqw goyDlX+VxvRDb+EZVZNJXYXdS1vMINapdbdzMIFdzKyuom5+A9HgDgXLNysoGvZ6lqkj 0nXbltIDoXXiL10LZFgoPgAxGAl7vbHk71myQsit9QinkxWIZ9s9fxspAdYdZn+vSDkg Dkc39swDfW4/icE4m3lHEaPMjOYmDS71p6YH8hp9H92MEdtbuCqY91/DURikCBU7b6gF QMPQ== X-Gm-Message-State: AOAM531tMD0KB478NWeejp6pbQAuO/oBy/M/kiJD28tNlHaXdPTrKVPU Nc6LrDJw43S7RpacCT/4AfEUHyw5UNI= X-Google-Smtp-Source: ABdhPJzOhlC1+c0LXIAodMZ8ywAnCxUImMexNjFlmCkUy0s58w/Myp7WpGLmUPAVqfWYqeXrcFEkTw== X-Received: by 2002:a37:bcc6:0:b0:69c:2930:85ce with SMTP id m189-20020a37bcc6000000b0069c293085cemr11096458qkf.188.1651560896418; Mon, 02 May 2022 23:54:56 -0700 (PDT) Received: from carlos-mbp.lan (104-1-92-200.lightspeed.sntcca.sbcglobal.net. [104.1.92.200]) by smtp.gmail.com with ESMTPSA id t1-20020ac85301000000b002f39b99f68bsm5333369qtn.37.2022.05.02.23.54.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 May 2022 23:54:56 -0700 (PDT) From: =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= To: git@vger.kernel.org Cc: gitster@pobox.com, bagasdotme@gmail.com, phillip.wood123@gmail.com, =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= , Guy Maurel , =?utf-8?q?SZEDER_G=C3=A1bor?= , Randall Becker , Johannes Schindelin Subject: [PATCH v3 2/3] git-compat-util: avoid failing dir ownership checks if running privileged Date: Mon, 2 May 2022 23:54:41 -0700 Message-Id: <20220503065442.95699-3-carenas@gmail.com> X-Mailer: git-send-email 2.36.0.352.g0cd7feaf86f In-Reply-To: <20220503065442.95699-1-carenas@gmail.com> References: <20220428105852.94449-1-carenas@gmail.com> <20220503065442.95699-1-carenas@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org bdc77d1d685 (Add a function to determine whether a path is owned by the current user, 2022-03-02) checks for the effective uid of the running process using geteuid() but didn't account for cases where that user was root (because git was invoked through sudo or a compatible tool) and the original uid that repository trusted for its config was no longer known, therefore failing the following otherwise safe call: guy@renard ~/Software/uncrustify $ sudo git describe --always --dirty [sudo] password for guy: fatal: unsafe repository ('/home/guy/Software/uncrustify' is owned by someone else) Attempt to detect those cases by using the environment variables that those tools create to keep track of the original user id, and do the ownership check using that instead. This assumes the environment the user is running on after going privileged can't be tampered with, and also adds code to restrict that the new behavior only applies if running as root, therefore keeping the most common case, which runs unprivileged, from changing, but because of that, it will miss cases where sudo (or an equivalent) was used to change to another unprivileged user or where the equivalent tool used to raise privileges didn't track the original id in a sudo compatible way. Reported-by: Guy Maurel Helped-by: SZEDER Gábor Helped-by: Randall Becker Helped-by: Phillip Wood Suggested-by: Johannes Schindelin Signed-off-by: Carlo Marcelo Arenas Belón --- Documentation/config/safe.txt | 9 ++++++++ git-compat-util.h | 40 +++++++++++++++++++++++++++++++++- t/t0034-root-safe-directory.sh | 2 +- 3 files changed, 49 insertions(+), 2 deletions(-) diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index 6d764fe0ccf..ee558ced8c7 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -26,3 +26,12 @@ directory was listed in the `safe.directory` list. If `safe.directory=*` is set in system config and you want to re-enable this protection, then initialize your list with an empty value before listing the repositories that you deem safe. ++ +When git tries to check for ownership of git repositories, it will +obviously do so with the uid of the user that is running git itself, +but if git is running as root, it will check first if it might have +been started through `sudo`, and if that is the case, will instead +use the uid of the user that did so. +If that is not what you would prefer and want git to only trust +repositories that are owned by root instead, then you should remove +the `SUDO_UID` variable from root's environment. diff --git a/git-compat-util.h b/git-compat-util.h index 63ba89dd31d..dfdd3e4f81a 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -393,12 +393,50 @@ static inline int git_offset_1st_component(const char *path) #endif #ifndef is_path_owned_by_current_user + +#ifdef __TANDEM +#define ROOT_UID 65535 +#else +#define ROOT_UID 0 +#endif + +/* + * this helper function overrides a ROOT_UID with the one provided by + * an environment variable, do not use unless the original user is + * root + */ +static inline void extract_id_from_env(const char *env, uid_t *id) +{ + const char *real_uid = getenv(env); + + /* discard any empty values */ + if (real_uid && *real_uid) { + char *endptr; + unsigned long env_id; + int saved_errno = errno; + + errno = 0; + env_id = strtoul(real_uid, &endptr, 10); + if (!errno && !*endptr && env_id <= (uid_t)-1) + *id = env_id; + + errno = saved_errno; + } +} + static inline int is_path_owned_by_current_uid(const char *path) { struct stat st; + uid_t euid; + if (lstat(path, &st)) return 0; - return st.st_uid == geteuid(); + + euid = geteuid(); + if (euid == ROOT_UID) + extract_id_from_env("SUDO_UID", &euid); + + return st.st_uid == euid; } #define is_path_owned_by_current_user is_path_owned_by_current_uid diff --git a/t/t0034-root-safe-directory.sh b/t/t0034-root-safe-directory.sh index 6dac7a05cfd..dd659aed4e1 100755 --- a/t/t0034-root-safe-directory.sh +++ b/t/t0034-root-safe-directory.sh @@ -32,7 +32,7 @@ test_expect_success SUDO 'setup' ' ) ' -test_expect_failure SUDO 'sudo git status as original owner' ' +test_expect_success SUDO 'sudo git status as original owner' ' ( cd root/r && git status && From patchwork Tue May 3 06:54:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= X-Patchwork-Id: 12835111 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED76AC433F5 for ; Tue, 3 May 2022 06:55:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231133AbiECG73 (ORCPT ); Tue, 3 May 2022 02:59:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231365AbiECG6b (ORCPT ); Tue, 3 May 2022 02:58:31 -0400 Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DABBA1A06B for ; Mon, 2 May 2022 23:54:58 -0700 (PDT) Received: by mail-qk1-x733.google.com with SMTP id e128so12995461qkd.7 for ; Mon, 02 May 2022 23:54:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4+y/IIIGRGhvoOp18B+Q0+f7yBJC0rWUHAbO7GglA8U=; b=FOAP3A2mqiR8H289loHYJQ3XQWN1s/5SMWkjMRWZrI7aDcf7XWdB9DlpK6zl6/l9NI m5fdaJ6yfKzOFPpdgQzfrWyUZT/zxk4yXYbOGP5gFV2iC/2BZqRycbCv9h8swoIKdczS ATvhJaIaOT2iy/tVnyjkREKIk//OFjP/aeoureZtQuEgFYv29pw1Oig5un9MTsMB6Zjl Kp40MSb2ibPUVsxgurFBimccBaSjqic9hz0csCrikB5SXH8hd7sqGvh0dPo8RPHCYhZs YUqZ44r3eyB75pmF8qmjw9t1VwHbe+WqC/sve+I4FgXGcyZRXWuU9KGW0sgKHeUHwncQ 8CMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4+y/IIIGRGhvoOp18B+Q0+f7yBJC0rWUHAbO7GglA8U=; b=avA0dX72Z0Bp4lX3eNGBkC3egLxGk3lKNl7rS7DUZs13vJXUU/n8qlnbeHx+Ake/+h 41HT2QKk6wFY8+4XnUNJYFb4dJBxfGm4OUwzSmEqaU1aF1s+5WffMWY2/GVNA/qFHepZ 4aaRLYgB2bFGBBJKXdwQacVffcZtbwFjCJxjK8WR5duOS9LjMayJMqsaF9h8Xxf3VhOK YHOwXZe9VvZz3ALjTGn8wMmUwdko+Nou6VnPy8xACJYF7QXgiCsBo8h05pu7tkhNQlMt Llx17E2MLWJ7lpSsMpkYMMzT7JeODfx0MjK5qp9RBfSRhlFd7EUVvkEbImOIredk9yNf 79vg== X-Gm-Message-State: AOAM532YHv9zWAOELM7DQymqROZizyswUoY2VvK63vNSP8dOKCrgxpbY l+r4pnnVCAJDcMCqnPnkJby58x+XMRw= X-Google-Smtp-Source: ABdhPJzNzcdCiutR7PJe1nJU4zdqBqVM9Ua+71D6O7S02oB4jMgS4iUAeLv5PpF8GUeEoK/ayVhatg== X-Received: by 2002:a37:4651:0:b0:69f:eb93:d212 with SMTP id t78-20020a374651000000b0069feb93d212mr4726807qka.613.1651560897809; Mon, 02 May 2022 23:54:57 -0700 (PDT) Received: from carlos-mbp.lan (104-1-92-200.lightspeed.sntcca.sbcglobal.net. [104.1.92.200]) by smtp.gmail.com with ESMTPSA id t1-20020ac85301000000b002f39b99f68bsm5333369qtn.37.2022.05.02.23.54.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 May 2022 23:54:57 -0700 (PDT) From: =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= To: git@vger.kernel.org Cc: gitster@pobox.com, bagasdotme@gmail.com, phillip.wood123@gmail.com, =?utf-8?q?Carlo_Marcelo_Arenas_Bel=C3=B3n?= Subject: [PATCH v3 3/3] t0034: enhance framework to allow testing more commands under sudo Date: Mon, 2 May 2022 23:54:42 -0700 Message-Id: <20220503065442.95699-4-carenas@gmail.com> X-Mailer: git-send-email 2.36.0.352.g0cd7feaf86f In-Reply-To: <20220503065442.95699-1-carenas@gmail.com> References: <20220428105852.94449-1-carenas@gmail.com> <20220503065442.95699-1-carenas@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Add a support library that provides one function that can be used to run a "scriplet" of commands through sudo and that has an optional parameter (currently unused) to indicate which shell to use to do so. Add additional negative tests as suggested by Junio and that use new workspace that is owned by root. Note that in order to be able to call `test_must_fail sudo git status` or an equivalent, test_must_fail will need to be enhanced or be able to run under sudo, so fixing that has been punted, since the only protection it affords is for `git status` not crashing, and that is covered already by other tests. Helped-by: Junio C Hamano Signed-off-by: Carlo Marcelo Arenas Belón --- t/lib-sudo.sh | 13 +++++++ t/t0034-root-safe-directory.sh | 70 +++++++++++++++++++++++++++++++++- 2 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 t/lib-sudo.sh diff --git a/t/lib-sudo.sh b/t/lib-sudo.sh new file mode 100644 index 00000000000..9ebb30fc82b --- /dev/null +++ b/t/lib-sudo.sh @@ -0,0 +1,13 @@ +# Helpers for running git commands under sudo. + +# Runs a scriplet passed through stdin under sudo. +run_with_sudo () { + local ret + local SH=${1-"$TEST_SHELL_PATH"} + local RUN="$HOME/$$.sh" + write_script "$RUN" "$SH" + sudo "$SH" -c "\"$RUN\"" + ret=$? + rm -f "$RUN" + return $ret +} diff --git a/t/t0034-root-safe-directory.sh b/t/t0034-root-safe-directory.sh index dd659aed4e1..a68e1d7602b 100755 --- a/t/t0034-root-safe-directory.sh +++ b/t/t0034-root-safe-directory.sh @@ -3,6 +3,7 @@ test_description='verify safe.directory checks while running as root' . ./test-lib.sh +. "$TEST_DIRECTORY"/lib-sudo.sh if [ "$IKNOWWHATIAMDOING" != "YES" ] then @@ -10,6 +11,12 @@ then test_done fi +if ! test_have_prereq NOT_ROOT +then + skip_all="No, you don't; these tests can't run as root" + test_done +fi + # this prerequisite should be added to all the tests, it not only prevents # the test from failing but also warms up any authentication cache sudo # might need to avoid asking for a password @@ -40,8 +47,67 @@ test_expect_success SUDO 'sudo git status as original owner' ' ) ' -# this MUST be always the last test, if used more than once, the next -# test should do a full setup again. +# this destroys the test environment used above +test_expect_success SUDO 'cleanup regression' ' + sudo rm -rf root +' + +if ! test_have_prereq SUDO +then + skip_all="You need sudo to root for all remaining tests" + test_done +fi + +test_expect_success SUDO 'setup root owned repository' ' + sudo mkdir -p root/p && + sudo git init root/p +' + +test_expect_success 'cannot access if owned by root' ' + ( + cd root/p && + test_must_fail git status + ) +' + +test_expect_success SUDO 'cannot access with sudo' ' + ( + # TODO: test_must_fail needs additional functionality + # 6a67c759489 blocks its use with sudo + cd root/p && + ! sudo git status + ) +' + +test_expect_success SUDO 'can access using a workaround' ' + # run sudo twice + ( + cd root/p && + run_with_sudo <<-END + sudo git status + END + ) && + # provide explicit GIT_DIR + ( + cd root/p && + run_with_sudo <<-END + GIT_DIR=.git && + GIT_WORK_TREE=. && + export GIT_DIR GIT_WORK_TREE && + git status + END + ) && + # discard SUDO_UID + ( + cd root/p && + run_with_sudo <<-END + unset SUDO_UID && + git status + END + ) +' + +# this MUST be always the last test test_expect_success SUDO 'cleanup' ' sudo rm -rf root '