* Question: Setting the Email Address in ~/.gitconfig @ 2020-06-11 21:25 Shreya Malviya 2020-06-11 22:52 ` brian m. carlson 0 siblings, 1 reply; 3+ messages in thread From: Shreya Malviya @ 2020-06-11 21:25 UTC (permalink / raw) To: git Hi! I was playing around with git when I realized that it's possible for me to commit something to a repository as another user (explained a scenario below for a better understanding of what I mean) and it is not considered a security vulnerability, understandably so (https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address). For example, let's assume I have push access to some repository called AAA, and my email address is abc@xyz.com. I can simply edit ~/.gitconfig on my system and set the email address as some other person's email address: def@pqr.com. Then, I make some changes in my local repository and commit them (reminder: it's with the email address def@pqr.com since git tracks commits by email address). Now, if I try to push to the remote repository, it asks for the username and password. I put mine and since I have push access to AAA, it goes through. I've successfully pushed commits on behalf of the owner of the email address: def@pqr.com. So basically, in this way, I can impersonate people and add commits on their behalf. BUT AGAIN, this is not considered a vulnerability (link for reason attached before). My question: It would be much easier if git didn't allow changing the email address so easily. Why hasn't git implemented OAuth, or something of that sort, for every time that the email address is changed in ~/.gitconfig, yet? Shreya Malviya ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question: Setting the Email Address in ~/.gitconfig 2020-06-11 21:25 Question: Setting the Email Address in ~/.gitconfig Shreya Malviya @ 2020-06-11 22:52 ` brian m. carlson 2020-06-13 0:16 ` Aaron Schrab 0 siblings, 1 reply; 3+ messages in thread From: brian m. carlson @ 2020-06-11 22:52 UTC (permalink / raw) To: Shreya Malviya; +Cc: git [-- Attachment #1: Type: text/plain, Size: 2854 bytes --] On 2020-06-11 at 21:25:45, Shreya Malviya wrote: > Hi! > > > I was playing around with git when I realized that it's possible for > me to commit something to a repository as another user (explained a > scenario below for a better understanding of what I mean) and it is > not considered a security vulnerability, understandably so > (https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address). This is GitHub's bug bounty policy, not Git's, but it is definitely an intended feature in Git and not a bug. I should point out that they are separate and independent. > For example, let's assume I have push access to some repository called > AAA, and my email address is abc@xyz.com. I can simply edit > ~/.gitconfig on my system and set the email address as some other > person's email address: def@pqr.com. Then, I make some changes in my > local repository and commit them (reminder: it's with the email > address def@pqr.com since git tracks commits by email address). Now, > if I try to push to the remote repository, it asks for the username > and password. I put mine and since I have push access to AAA, it goes > through. I've successfully pushed commits on behalf of the owner of > the email address: def@pqr.com. > > So basically, in this way, I can impersonate people and add commits on > their behalf. BUT AGAIN, this is not considered a vulnerability (link > for reason attached before). In the Git project, users send patches to a mailing list and those patches are applied by a maintainer. When the maintainer applies them, they contain the user's identification and therefore are attributed to that user as the author. This is a common workflow in patch-based projects. Disallowing people from pushing commits that contain another email address would prevent the maintainer from pushing commits authored by others, so Git doesn't do that, although it can be configured with push certificates and a hook if you like. If you are asking why GitHub attributes commits based on email, you'd have to ask them. However, be aware that there are projects that are concerned about commit spoofing, especially corporate projects in regulated industries, and the way to handle that is to use and require commit signing. > My question: > It would be much easier if git didn't allow changing the email address > so easily. Why hasn't git implemented OAuth, or something of that > sort, for every time that the email address is changed in > ~/.gitconfig, yet? This is a local configuration file, so asking someone to implement OAuth to change a local configuration file wouldn't be helpful. Many Git servers are, for example, SSH only, and so OAuth isn't even a possibility. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 263 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question: Setting the Email Address in ~/.gitconfig 2020-06-11 22:52 ` brian m. carlson @ 2020-06-13 0:16 ` Aaron Schrab 0 siblings, 0 replies; 3+ messages in thread From: Aaron Schrab @ 2020-06-13 0:16 UTC (permalink / raw) To: brian m. carlson, Shreya Malviya, git [-- Attachment #1: Type: text/plain, Size: 1452 bytes --] At 22:52 +0000 11 Jun 2020, "brian m. carlson" <sandals@crustytoothpaste.net> wrote: >On 2020-06-11 at 21:25:45, Shreya Malviya wrote: >> My question: >> It would be much easier if git didn't allow changing the email address >> so easily. Why hasn't git implemented OAuth, or something of that >> sort, for every time that the email address is changed in >> ~/.gitconfig, yet? > >This is a local configuration file, so asking someone to implement OAuth >to change a local configuration file wouldn't be helpful. Many Git >servers are, for example, SSH only, and so OAuth isn't even a >possibility. Beyond that, even if git *did* somehow provide strong authentication of the configured email address for commits, it's open source software so people could still quite easily disable that authentication to spoof commits as other people. They could also use some other software (possibly that they write themselves) that manipulates a repository without doing that authentication. While the data is entirely on an untrusted system (however you want to define trusted), the operator of that system will always be able to manipulate that data. The alternative to this would be to require all commits to be cryptographically signed. But, most projects consider that to be too much of a burden. After all that only covers who made the changes, while for many things the content of the changes is much more important. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 898 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-13 0:25 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-11 21:25 Question: Setting the Email Address in ~/.gitconfig Shreya Malviya 2020-06-11 22:52 ` brian m. carlson 2020-06-13 0:16 ` Aaron Schrab
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).