Hi Carlo, On Mon, 25 Apr 2022, Carlo Marcelo Arenas Belón wrote: > On Mon, Apr 25, 2022 at 12:02:45AM -0700, Carlo Marcelo Arenas Belón wrote: > > On Sun, Apr 24, 2022 at 11:39:27PM -0700, Junio C Hamano wrote: > > > Carlo Marcelo Arenas Belón writes: > > > > > > > At that point, though you might as well excempt root from this check > > > > > > But "root" or any higher-valued account is what needs this kind of > > > protection the most, no? > > > > correct, and I didn't meant to excempt root from the protection, but > > from the check that requires that the config file ownership matches. > > > > if the config file is owned by root, we already lost, regardless of what > > uid git is running as. > > apologies for my confusing english, hopefully this C is clearer > > diff --git a/git-compat-util.h b/git-compat-util.h > index 58fd813bd01..6a385be7d1d 100644 > --- a/git-compat-util.h > +++ b/git-compat-util.h > @@ -440,9 +440,19 @@ static inline int git_offset_1st_component(const char *path) > static inline int is_path_owned_by_current_uid(const char *path) > { > struct stat st; > + uid_t euid; > + > if (lstat(path, &st)) > return 0; > - return st.st_uid == geteuid(); > + > + euid = geteuid(); > + if (!euid && st.st_uid && isatty(0)) { > + struct stat ttyst; > + if (!stat(ttyname(0), &ttyst)) > + euid = ttyst.st_uid; > + } > + > + return st.st_uid == euid; > } > > #define is_path_owned_by_current_user is_path_owned_by_current_uid > > it uses stdin instead not to fall in the issue that was raised by > Gábor, but I am affraid that it might need to check all stdnandles for > a valid tty to be safe, and it looking even more complex. Maybe a better idea for the `sudo` scenario would be to make use of `SUDO_UID` (assuming that no adversary can gain control over the user's environment variables)? Ciao, Dscho