From d51e1dff980b9fc87002436b6ab36120a39816b1 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 8 Aug 2022 13:27:46 +0000 Subject: [PATCH 1/5] setup: fix some formatting In preparation for touching code that was introduced in 3b0bf2704980 (setup: tighten ownership checks post CVE-2022-24765, 2022-05-10) and that was formatted differently than preferred in the Git project, fix the indentation before actually modifying the code. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- setup.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/setup.c b/setup.c index 7f64f34477..0fdecec32e 100644 --- a/setup.c +++ b/setup.c @@ -1138,7 +1138,7 @@ static int safe_directory_cb(const char *key, const char *value, void *d) * added, for bare ones their git directory. */ static int ensure_valid_ownership(const char *gitfile, - const char *worktree, const char *gitdir) + const char *worktree, const char *gitdir) { struct safe_directory_data data = { .path = worktree ? worktree : gitdir @@ -1271,10 +1271,11 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, strbuf_setlen(dir, offset); if (gitdirenv) { enum discovery_result ret; + const char *gitdir_candidate = + gitdir_path ? gitdir_path : gitdirenv; - if (ensure_valid_ownership(gitfile, - dir->buf, - (gitdir_path ? gitdir_path : gitdirenv))) { + if (ensure_valid_ownership(gitfile, dir->buf, + gitdir_candidate)) { strbuf_addstr(gitdir, gitdirenv); ret = GIT_DIR_DISCOVERED; } else From 17d3883fe9c88b823002ad9fafb42313ddc3d3d5 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 8 Aug 2022 13:27:47 +0000 Subject: [PATCH 2/5] setup: prepare for more detailed "dubious ownership" messages When verifying the ownership of the Git directory, we sometimes would like to say a bit more about it, e.g. when using a platform-dependent code path (think: Windows has the permission model that is so different from Unix'), but only when it is a appropriate to actually say something. To allow for that, collect that information and hand it back to the caller (whose responsibility it is to show it or not). Note: We do not actually fill in any platform-dependent information yet, this commit just adds the infrastructure to be able to do so. Based-on-an-idea-by: Junio C Hamano Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- compat/mingw.c | 2 +- compat/mingw.h | 2 +- git-compat-util.h | 5 ++++- setup.c | 25 +++++++++++++++---------- 4 files changed, 21 insertions(+), 13 deletions(-) diff --git a/compat/mingw.c b/compat/mingw.c index 2607de93af..f12b7df16d 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -2673,7 +2673,7 @@ static PSID get_current_user_sid(void) return result; } -int is_path_owned_by_current_sid(const char *path) +int is_path_owned_by_current_sid(const char *path, struct strbuf *report) { WCHAR wpath[MAX_PATH]; PSID sid = NULL; diff --git a/compat/mingw.h b/compat/mingw.h index a74da68f31..209cf7ceba 100644 --- a/compat/mingw.h +++ b/compat/mingw.h @@ -463,7 +463,7 @@ char *mingw_query_user_email(void); * Verifies that the specified path is owned by the user running the * current process. */ -int is_path_owned_by_current_sid(const char *path); +int is_path_owned_by_current_sid(const char *path, struct strbuf *report); #define is_path_owned_by_current_user is_path_owned_by_current_sid /** diff --git a/git-compat-util.h b/git-compat-util.h index 58d7708296..36a25ae252 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -23,6 +23,9 @@ #include #endif +struct strbuf; + + #define _FILE_OFFSET_BITS 64 @@ -487,7 +490,7 @@ static inline void extract_id_from_env(const char *env, uid_t *id) } } -static inline int is_path_owned_by_current_uid(const char *path) +static inline int is_path_owned_by_current_uid(const char *path, struct strbuf *report) { struct stat st; uid_t euid; diff --git a/setup.c b/setup.c index 0fdecec32e..ddcf6eb603 100644 --- a/setup.c +++ b/setup.c @@ -1138,16 +1138,17 @@ static int safe_directory_cb(const char *key, const char *value, void *d) * added, for bare ones their git directory. */ static int ensure_valid_ownership(const char *gitfile, - const char *worktree, const char *gitdir) + const char *worktree, const char *gitdir, + struct strbuf *report) { struct safe_directory_data data = { .path = worktree ? worktree : gitdir }; if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) && - (!gitfile || is_path_owned_by_current_user(gitfile)) && - (!worktree || is_path_owned_by_current_user(worktree)) && - (!gitdir || is_path_owned_by_current_user(gitdir))) + (!gitfile || is_path_owned_by_current_user(gitfile, report)) && + (!worktree || is_path_owned_by_current_user(worktree, report)) && + (!gitdir || is_path_owned_by_current_user(gitdir, report))) return 1; /* @@ -1187,6 +1188,7 @@ enum discovery_result { */ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, struct strbuf *gitdir, + struct strbuf *report, int die_on_error) { const char *env_ceiling_dirs = getenv(CEILING_DIRECTORIES_ENVIRONMENT); @@ -1275,7 +1277,7 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, gitdir_path ? gitdir_path : gitdirenv; if (ensure_valid_ownership(gitfile, dir->buf, - gitdir_candidate)) { + gitdir_candidate, report)) { strbuf_addstr(gitdir, gitdirenv); ret = GIT_DIR_DISCOVERED; } else @@ -1298,7 +1300,7 @@ static enum discovery_result setup_git_directory_gently_1(struct strbuf *dir, } if (is_git_directory(dir->buf)) { - if (!ensure_valid_ownership(NULL, NULL, dir->buf)) + if (!ensure_valid_ownership(NULL, NULL, dir->buf, report)) return GIT_DIR_INVALID_OWNERSHIP; strbuf_addstr(gitdir, "."); return GIT_DIR_BARE; @@ -1331,7 +1333,7 @@ int discover_git_directory(struct strbuf *commondir, return -1; cwd_len = dir.len; - if (setup_git_directory_gently_1(&dir, gitdir, 0) <= 0) { + if (setup_git_directory_gently_1(&dir, gitdir, NULL, 0) <= 0) { strbuf_release(&dir); return -1; } @@ -1378,7 +1380,7 @@ int discover_git_directory(struct strbuf *commondir, const char *setup_git_directory_gently(int *nongit_ok) { static struct strbuf cwd = STRBUF_INIT; - struct strbuf dir = STRBUF_INIT, gitdir = STRBUF_INIT; + struct strbuf dir = STRBUF_INIT, gitdir = STRBUF_INIT, report = STRBUF_INIT; const char *prefix = NULL; struct repository_format repo_fmt = REPOSITORY_FORMAT_INIT; @@ -1403,7 +1405,7 @@ const char *setup_git_directory_gently(int *nongit_ok) die_errno(_("Unable to read current working directory")); strbuf_addbuf(&dir, &cwd); - switch (setup_git_directory_gently_1(&dir, &gitdir, 1)) { + switch (setup_git_directory_gently_1(&dir, &gitdir, &report, 1)) { case GIT_DIR_EXPLICIT: prefix = setup_explicit_git_dir(gitdir.buf, &cwd, &repo_fmt, nongit_ok); break; @@ -1435,12 +1437,14 @@ const char *setup_git_directory_gently(int *nongit_ok) if (!nongit_ok) { struct strbuf quoted = STRBUF_INIT; + strbuf_complete(&report, '\n'); sq_quote_buf_pretty("ed, dir.buf); die(_("detected dubious ownership in repository at '%s'\n" + "%s" "To add an exception for this directory, call:\n" "\n" "\tgit config --global --add safe.directory %s"), - dir.buf, quoted.buf); + dir.buf, report.buf, quoted.buf); } *nongit_ok = 1; break; @@ -1519,6 +1523,7 @@ const char *setup_git_directory_gently(int *nongit_ok) strbuf_release(&dir); strbuf_release(&gitdir); + strbuf_release(&report); clear_repository_format(&repo_fmt); return prefix; From e883e04b68ba7393029bcbeaa2aacb3dff5d3fbd Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 8 Aug 2022 13:27:48 +0000 Subject: [PATCH 3/5] mingw: provide details about unsafe directories' ownership When Git refuses to use an existing repository because it is owned by someone else than the current user, it can be a bit tricky on Windows to figure out what is going on. Let's help with that by providing more detailed information. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- compat/mingw.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/compat/mingw.c b/compat/mingw.c index f12b7df16d..2c09c5bffe 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -1,6 +1,7 @@ #include "../git-compat-util.h" #include "win32.h" #include +#include #include #include #include "../strbuf.h" @@ -2720,6 +2721,29 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report) IsValidSid(current_user_sid) && EqualSid(sid, current_user_sid)) result = 1; + else if (report) { + LPSTR str1, str2, to_free1 = NULL, to_free2 = NULL; + + if (ConvertSidToStringSidA(sid, &str1)) + to_free1 = str1; + else + str1 = "(inconvertible)"; + + if (!current_user_sid) + str2 = "(none)"; + else if (!IsValidSid(current_user_sid)) + str2 = "(invalid)"; + else if (ConvertSidToStringSidA(current_user_sid, &str2)) + to_free2 = str2; + else + str2 = "(inconvertible)"; + strbuf_addf(report, + "'%s' is owned by:\n" + "\t'%s'\nbut the current user is:\n" + "\t'%s'\n", path, str1, str2); + LocalFree(to_free1); + LocalFree(to_free2); + } } /* From 7c83470e64eadab74689427fcd95e72f0a772ab5 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 8 Aug 2022 13:27:49 +0000 Subject: [PATCH 4/5] mingw: be more informative when ownership check fails on FAT32 The FAT file system has no concept of ACLs. Therefore, it cannot store any ownership information anyway, and the `GetNamedSecurityInfoW()` call pretends that everything is owned "by the world". Let's special-case that scenario and tell the user what's going on. This addresses https://github.com/git-for-windows/git/issues/3886 Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- compat/mingw.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/compat/mingw.c b/compat/mingw.c index 2c09c5bffe..22f960c7e3 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -2674,6 +2674,21 @@ static PSID get_current_user_sid(void) return result; } +static int acls_supported(const char *path) +{ + size_t offset = offset_1st_component(path); + WCHAR wroot[MAX_PATH]; + DWORD file_system_flags; + + if (offset && + xutftowcsn(wroot, path, MAX_PATH, offset) > 0 && + GetVolumeInformationW(wroot, NULL, 0, NULL, NULL, + &file_system_flags, NULL, 0)) + return !!(file_system_flags & FILE_PERSISTENT_ACLS); + + return 0; +} + int is_path_owned_by_current_sid(const char *path, struct strbuf *report) { WCHAR wpath[MAX_PATH]; @@ -2721,7 +2736,15 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report) IsValidSid(current_user_sid) && EqualSid(sid, current_user_sid)) result = 1; - else if (report) { + else if (report && + IsWellKnownSid(sid, WinWorldSid) && + !acls_supported(path)) { + /* + * On FAT32 volumes, ownership is not actually recorded. + */ + strbuf_addf(report, "'%s' is on a file system that does" + "not record ownership\n", path); + } else if (report) { LPSTR str1, str2, to_free1 = NULL, to_free2 = NULL; if (ConvertSidToStringSidA(sid, &str1)) From 3f7207e2ea967fd2b46d9e0ae85246e93b38ed58 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 8 Aug 2022 13:27:50 +0000 Subject: [PATCH 5/5] mingw: handle a file owned by the Administrators group correctly When an Administrator creates a file or directory, the created file/directory is owned not by the Administrator SID, but by the _Administrators Group_ SID. The reason is that users with administrator privileges usually run in unprivileged ("non-elevated") mode, and their user SID does not change when running in elevated mode. This is is relevant e.g. when running a GitHub workflow on a build agent, which runs in elevated mode: cloning a Git repository in a script step will cause the worktree to be owned by the Administrators Group SID, for example. Let's handle this case as following: if the current user is an administrator, Git should consider a worktree owned by the Administrators Group as if it were owned by said user. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- compat/mingw.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/compat/mingw.c b/compat/mingw.c index 22f960c7e3..7aa9318db7 100644 --- a/compat/mingw.c +++ b/compat/mingw.c @@ -2728,6 +2728,7 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report) else if (sid && IsValidSid(sid)) { /* Now, verify that the SID matches the current user's */ static PSID current_user_sid; + BOOL is_member; if (!current_user_sid) current_user_sid = get_current_user_sid(); @@ -2736,6 +2737,15 @@ int is_path_owned_by_current_sid(const char *path, struct strbuf *report) IsValidSid(current_user_sid) && EqualSid(sid, current_user_sid)) result = 1; + else if (IsWellKnownSid(sid, WinBuiltinAdministratorsSid) && + CheckTokenMembership(NULL, sid, &is_member) && + is_member) + /* + * If owned by the Administrators group, and the + * current user is an administrator, we consider that + * okay, too. + */ + result = 1; else if (report && IsWellKnownSid(sid, WinWorldSid) && !acls_supported(path)) {