From patchwork Wed Jul 13 08:17:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 12916247 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E85EDC43334 for ; Wed, 13 Jul 2022 08:21:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235178AbiGMIVg (ORCPT ); Wed, 13 Jul 2022 04:21:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235516AbiGMIUy (ORCPT ); Wed, 13 Jul 2022 04:20:54 -0400 Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B2F65925D for ; Wed, 13 Jul 2022 01:17:22 -0700 (PDT) Received: by mail-wr1-x42c.google.com with SMTP id v16so14349663wrd.13 for ; Wed, 13 Jul 2022 01:17:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=4Tw8JMS93seMMEXfT7K8viiPKPAk89Q55r71vg/UjR0=; b=Duw3qViC3y2gtzTsFeQJ2qeV5BsYupWeC3unWHQupMQ7TaCEk0bnUaH45tKIYHMwfM sde7O207GKKkM2W6iEp+vFw07TpXFQjHyuOqbiRozI7Pf/HDAUcAf6fAj5rEeW+HdxH1 bFT0/2ys54Xr/HPLdkoTj9PPax5DQLcLdQ7FtZ3BaqUCkugc0AzhO1qiLIldMYuJ5+SH eryxfZ2i+QSbtiVrBIQcaK1XHlpio718JDXS+ZsoZ6ZOSS1pgMuGw8rfotYvdPzmd/pO sObgMiF+suyLY6C93wA9VCze9Ia2LOBNCS2gCbg7woj7Eabu0HnH/A+IllPCaMkqDfKf zG8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=4Tw8JMS93seMMEXfT7K8viiPKPAk89Q55r71vg/UjR0=; b=xpbHzOzrobmAcJEElM1GD4iTLb3mhxP2NE65AFb+6GNUoGWAUkailAOuIIL+v5tBM4 pRuloFU0P/PL5Fp37g9ZKe0AlaOxWHJwgSq4cuXLvrm3C3v3LzzSE5V+FbaxXt5nHhiU wFnG7SoF6sFgDIFpsQJqLVubhy0e9/UCsC+VXLCmFee8q+ltM4EFw5iHkl/FaoKvlgfH SZuTiJsIDlYgtmpgnoYngwqKrK0gDCh5NNYq0aCvINSGeXNrdFVmgTWqaNLxidSIeY3X JTWJRzYFZ9OgDrgUn15+hRR/ve67A4HpvuBHdBjaXGjdRZWdS27vqLjc37TNs1Zt63yI WOhA== X-Gm-Message-State: AJIora/00hZ35MT6yt9Ou4ru+6tDJtG9387kS7mwNYMehK7yjjLtub2J 3oV6pYCGkQP+6efiGedHHnOt5JZJBvw= X-Google-Smtp-Source: AGRyM1tW+wjD5PCn/KgnV2lX1bkRPK0TgVbwmByP/snNcnzWsXRRjN/kmtonh6HCbnS5+NUDgjQt5A== X-Received: by 2002:adf:da45:0:b0:21d:8f3e:a3e0 with SMTP id r5-20020adfda45000000b0021d8f3ea3e0mr1978702wrl.310.1657700240612; Wed, 13 Jul 2022 01:17:20 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id bd20-20020a05600c1f1400b0039747cf8354sm1334902wmb.39.2022.07.13.01.17.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jul 2022 01:17:20 -0700 (PDT) Message-Id: <3480381b8b99142bcc0213957a43d68a962c52d9.1657700238.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Wed, 13 Jul 2022 08:17:15 +0000 Subject: [PATCH 1/3] Allow debugging unsafe directories' ownership Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Johannes Schindelin From: Johannes Schindelin When Git refuses to use an existing repository because it is owned by someone else than the current user, it can be a bit tricky on Windows to figure out what is going on. Let's help with that by offering some more information via the environment variable `GIT_TEST_DEBUG_UNSAFE_DIRECTORIES`. Signed-off-by: Johannes Schindelin --- Documentation/config/safe.txt | 6 ++++++ compat/mingw.c | 21 +++++++++++++++++++++ setup.c | 14 ++++++++++++-- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt index 74627c5e7c6..18fac9cb7f3 100644 --- a/Documentation/config/safe.txt +++ b/Documentation/config/safe.txt @@ -40,3 +40,9 @@ which id the original user has. If that is not what you would prefer and want git to only trust repositories that are owned by root instead, then you can remove the `SUDO_UID` variable from root's environment before invoking git. ++ +Due to the permission model on Windows where ACLs are used instead of +Unix' simpler permission model, it can be a bit tricky to figure out why +a directory is considered unsafe. To help with this, Git will provide +more detailed information when the environment variable +`GIT_TEST_DEBUG_UNSAFE_DIRECTORIES` is set to `true`. diff --git a/compat/mingw.c b/compat/mingw.c index 38ac35913df..912444fb3ab 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -1,6 +1,7 @@ #include "../git-compat-util.h" #include "win32.h" #include +#include #include #include #include "../strbuf.h" @@ -2676,6 +2677,26 @@ int is_path_owned_by_current_sid(const char *path) IsValidSid(current_user_sid) && EqualSid(sid, current_user_sid)) result = 1; + else if (git_env_bool("GIT_TEST_DEBUG_UNSAFE_DIRECTORIES", 0)) { + LPSTR str1, str2, to_free1 = NULL, to_free2 = NULL; + + if (ConvertSidToStringSidA(sid, &str1)) + to_free1 = str1; + else + str1 = "(inconvertible)"; + + if (!current_user_sid) + str2 = "(none)"; + else if (!IsValidSid(current_user_sid)) + str2 = "(invalid)"; + else if (ConvertSidToStringSidA(current_user_sid, &str2)) + to_free2 = str2; + else + str2 = "(inconvertible)"; + warning("'%s' is owned by:\n\t'%s'\nbut the current user is:\n\t'%s'", path, str1, str2); + LocalFree(to_free1); + LocalFree(to_free2); + } } /* diff --git a/setup.c b/setup.c index 9dcecda65b0..3ba42ffcb27 100644 --- a/setup.c +++ b/setup.c @@ -1353,13 +1353,23 @@ const char *setup_git_directory_gently(int *nongit_ok) case GIT_DIR_INVALID_OWNERSHIP: if (!nongit_ok) { struct strbuf quoted = STRBUF_INIT; + struct strbuf hint = STRBUF_INIT; + +#ifdef __MINGW32__ + if (!git_env_bool("GIT_TEST_DEBUG_UNSAFE_DIRECTORIES", 0)) + strbuf_addstr(&hint, + _("\n\nSet the environment variable " + "GIT_TEST_DEBUG_UNSAFE_DIRECTORIES=true " + "and run\n" + "again for more information.")); +#endif sq_quote_buf_pretty("ed, dir.buf); die(_("detected dubious ownership in repository at '%s'\n" "To add an exception for this directory, call:\n" "\n" - "\tgit config --global --add safe.directory %s"), - dir.buf, quoted.buf); + "\tgit config --global --add safe.directory %s%s"), + dir.buf, quoted.buf, hint.buf); } *nongit_ok = 1; break; From patchwork Wed Jul 13 08:17:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 12916248 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94C69C43334 for ; Wed, 13 Jul 2022 08:21:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235328AbiGMIVi (ORCPT ); Wed, 13 Jul 2022 04:21:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235255AbiGMIUz (ORCPT ); Wed, 13 Jul 2022 04:20:55 -0400 Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F7B859272 for ; Wed, 13 Jul 2022 01:17:23 -0700 (PDT) Received: by mail-wr1-x436.google.com with SMTP id z12so14382343wrq.7 for ; Wed, 13 Jul 2022 01:17:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=sk4fOcF43JH5hbwWjOJFUbnsEOZEDC2elmRIa706Tbg=; b=CBMs2OAhaL6IcOVPXfqvxIu+x/itLV1RzhZhmyh/ioyOTZ4gUvVck2cEhYebIDz1jH ve1GoC/2yzpKMNTKYSdOexg0uZojzwjBhFt6bXwJbWXF/0wMimJETpBlUQCVXjUddG0l 1+llu5BE4/jWHUnOXuPe2AAzhYTj4Slma2+DOiLi2Ye3z2itM6+i4NKUy6feDExdFu8h 2KdeqjmNOBwmd/v3Q6uixgaMt2OUL2tfSoRzUKp/sbqv+Qxd0OxT0AvshXVOwbijJHT6 RyMDxbiZlsVygBMJC79gmklVUuon2rEyReEkKQgGF15CSaHlFi6Za2uQaCSLIMxytRZR pLiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=sk4fOcF43JH5hbwWjOJFUbnsEOZEDC2elmRIa706Tbg=; b=LRlb2VeLoJEC+Tl6CJz/Tw+mF7ze/84tAtIaA5vnsVJQyNznmbOgJG55Ol1wdRHHHi lTdcDAvrMlW/QemlJG2b9u5Hjk/YGGb31Ki67KvWoszYPSNNRw3SAE8KN3cGcGgR5u2x 3sHQrontsEleLtxuLJ1YuCQXTeEKkHQRvrggqSSteNx3aNIW+8q3/ihx2B3TbOH6pPvd d44TM/Syrm6Zzj5LzGeWGTvYcD5lTtFh+GzyBHy1Z0GSTC4FjVo/kkku6wDSJaW0qYR1 vOewXrrWCgmSgSt4UNq+JWuYwVlfpY4fOgJ4Huy4W3jV3flf97o5/GAKhzzTaNBqBtnQ CMRw== X-Gm-Message-State: AJIora9GfSn1eLwj8uW4g2GAreLhI8Z+WFI3sIMRG6niHVric0qYf+pg PsJu7Tjr/VRkZ3RKpJWP55ImZVnkUDA= X-Google-Smtp-Source: AGRyM1tTAFmbQ/kv/ykRH2+oCX8VwRZMKMWzULXuEl+zv0wsV2HPDH46J7qxv8oZsSGXXcNMC0+lqA== X-Received: by 2002:a5d:5608:0:b0:21d:6be8:4944 with SMTP id l8-20020a5d5608000000b0021d6be84944mr1987656wrv.613.1657700241850; Wed, 13 Jul 2022 01:17:21 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id c15-20020a5d4f0f000000b0021d8faf57d5sm10192028wru.74.2022.07.13.01.17.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jul 2022 01:17:21 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Wed, 13 Jul 2022 08:17:16 +0000 Subject: [PATCH 2/3] mingw: handle a file owned by the Administrators group correctly Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Johannes Schindelin From: Johannes Schindelin When an Administrator creates a file or directory, the created file/directory is owned not by the Administrator SID, but by the _Administrators Group_ SID. The reason is that users with administrator privileges usually run in unprivileged ("non-elevated") mode, and their user SID does not change when running in elevated mode. This is is relevant e.g. when running a GitHub workflow on a build agent, which runs in elevated mode: cloning a Git repository in a script step will cause the worktree to be owned by the Administrators Group SID, for example. Let's handle this case as following: if the current user is an administrator, Git should consider a worktree owned by the Administrators Group as if it were owned by said user. Signed-off-by: Johannes Schindelin --- compat/mingw.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/compat/mingw.c b/compat/mingw.c index 912444fb3ab..e0e020ee574 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -2669,6 +2669,7 @@ int is_path_owned_by_current_sid(const char *path) else if (sid && IsValidSid(sid)) { /* Now, verify that the SID matches the current user's */ static PSID current_user_sid; + BOOL is_member; if (!current_user_sid) current_user_sid = get_current_user_sid(); @@ -2677,6 +2678,15 @@ int is_path_owned_by_current_sid(const char *path) IsValidSid(current_user_sid) && EqualSid(sid, current_user_sid)) result = 1; + else if (IsWellKnownSid(sid, WinBuiltinAdministratorsSid) && + CheckTokenMembership(NULL, sid, &is_member) && + is_member) + /* + * If owned by the Administrators group, and the + * current user is an administrator, we consider that + * okay, too. + */ + result = 1; else if (git_env_bool("GIT_TEST_DEBUG_UNSAFE_DIRECTORIES", 0)) { LPSTR str1, str2, to_free1 = NULL, to_free2 = NULL; From patchwork Wed Jul 13 08:17:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schindelin X-Patchwork-Id: 12916249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DE3FC433EF for ; Wed, 13 Jul 2022 08:21:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235520AbiGMIVk (ORCPT ); Wed, 13 Jul 2022 04:21:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235253AbiGMIUz (ORCPT ); Wed, 13 Jul 2022 04:20:55 -0400 Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC3BC5A2EC for ; Wed, 13 Jul 2022 01:17:24 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id a5so14372627wrx.12 for ; Wed, 13 Jul 2022 01:17:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:in-reply-to:references:from:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=iuZeZdbfTT+4BTlW+8ugBH/slvK4jQ8Va5eTx6HZ7LU=; b=F6mK1HrgYnMVYleHOlTMENDnpbSIRbgt8hjQz00OQN/OHrPbfE7dXFweaPrmI1BG+K /5FlryzUwbD4Vk1WA8IudQE4dXHdKEtZ6nIi58zdTCSnJqcWNKDSVqHS/9ZSKr3ONd2i XmCKpwUTJDddven0baqbm77iDm/9eKYGYknasO3/QrkbdqF+WSOmHcmBy8f7Ts7AkEP3 g5bCaFfR5O8okZNYsvPK23SKU8hjd9RiWK/6cheXthbwiBUO6/rhs4ghCt7G10qJxTEt dmUgNV1hO864IO/Tf/pH5zjfCKX3B9UtJqh53y1jpxgeN6ntdhwCldZYK+8zhhv+wJ6Q ++tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:in-reply-to:references:from:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=iuZeZdbfTT+4BTlW+8ugBH/slvK4jQ8Va5eTx6HZ7LU=; b=ghlohB77r5J/YWMUqFS+7aIp89frLUo4kYPU13PBklT8eAjT4MNxARyuX9sqhnqEc0 DB+jftR3c3TVR15ku44VWCPflGKO75kBfLZs/tp63BPgN+k7WkMsUT2e0m/H8RYmAlF0 lZgz18f0dE7BiDHpsn7nJpDMzzGIgjbER7C289RnDGKihqVMETiDpajCZY0CnZ7NF5lB 3BSYyqMGsrVKhawnT6HUkEzXzopAu9+gelCoqKvczpltb5hlUo1TlNf+Yq6htyEFGyPe QmTrWqnX/dtQQQdllFfzRVzDQiVbgQ2UhJWymBByUSo8cEKjJvFYhPpq3/NS/BFfqaTS XEhQ== X-Gm-Message-State: AJIora8jNi9AN7UN79QJHoSUSBS7budVsi9RL3jKofEf+xNlDgEysM7V NU5YoDdKoA7+C6jHe6+s38vI7PGJkIs= X-Google-Smtp-Source: AGRyM1tk12aJQpyZ0STyhHLiR8K7mppGrLU0RsiLPzVhgWwtvpmB1aJxGlkqvCyJKO2tM4C7aXOXnw== X-Received: by 2002:a05:6000:a1c:b0:21d:7ec3:485e with SMTP id co28-20020a0560000a1c00b0021d7ec3485emr1956575wrb.106.1657700243091; Wed, 13 Jul 2022 01:17:23 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id a6-20020a5d4566000000b0021d6f03b524sm10218902wrc.48.2022.07.13.01.17.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jul 2022 01:17:22 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Wed, 13 Jul 2022 08:17:17 +0000 Subject: [PATCH 3/3] mingw: be more informative when ownership check fails on FAT32 Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin , Johannes Schindelin Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Johannes Schindelin From: Johannes Schindelin The FAT file system has no concept of ACLs. Therefore, it cannot store any ownership information anyway, and the `GetNamedSecurityInfoW()` call pretends that everything is owned "by the world". Let's special-case that scenario and tell the user what's going on, at least when they set `GIT_TEST_DEBUG_UNSAFE_DIRECTORIES`. This addresses https://github.com/git-for-windows/git/issues/3886 Signed-off-by: Johannes Schindelin --- compat/mingw.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/compat/mingw.c b/compat/mingw.c index e0e020ee574..4144d6247bd 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -2630,6 +2630,21 @@ static PSID get_current_user_sid(void) return result; } +static int acls_supported(const char *path) +{ + size_t offset = offset_1st_component(path); + WCHAR wroot[MAX_PATH]; + DWORD file_system_flags; + + if (offset && + xutftowcsn(wroot, path, MAX_PATH, offset) > 0 && + GetVolumeInformationW(wroot, NULL, 0, NULL, NULL, + &file_system_flags, NULL, 0)) + return !!(file_system_flags & FILE_PERSISTENT_ACLS); + + return 0; +} + int is_path_owned_by_current_sid(const char *path) { WCHAR wpath[MAX_PATH]; @@ -2687,7 +2702,14 @@ int is_path_owned_by_current_sid(const char *path) * okay, too. */ result = 1; - else if (git_env_bool("GIT_TEST_DEBUG_UNSAFE_DIRECTORIES", 0)) { + else if (IsWellKnownSid(sid, WinWorldSid) && + git_env_bool("GIT_TEST_DEBUG_UNSAFE_DIRECTORIES", 0) && + !acls_supported(path)) { + /* + * On FAT32 volumes, ownership is not actually recorded. + */ + warning("'%s' is on a file system that does not record ownership", path); + } else if (git_env_bool("GIT_TEST_DEBUG_UNSAFE_DIRECTORIES", 0)) { LPSTR str1, str2, to_free1 = NULL, to_free2 = NULL; if (ConvertSidToStringSidA(sid, &str1))