From: Taylor Blau <me@ttaylorr.com>
To: git@vger.kernel.org
Subject: [TOPIC 8/8] Using Git securely in shared services
Date: Thu, 29 Sep 2022 15:22:13 -0400 [thread overview]
Message-ID: <YzXwZQbM69eNJfm7@nand.local> (raw)
In-Reply-To: <YzXvMRc6X60kjVeY@nand.local>
How to run git securely in shared services (Kevin)
- Kevin: What do we think about GIt on a shared device? e.g. Git trusts
the repo more than the global config, but the repo might not be
trustable. What do we think of, say, inverting this precedence?
- bmc: Repo config overriding global config is an important feature we
should not lose. But I could imagine some global option that affects
that behavior — making it very explicit, on that particular machine.
- Stolee: I wrote an email to the mailing list months ago about this
subject. Title "What is Git's security boundary?" Concrete proposal:
anything that executes an executable could go through a hook that is
installed at the global or system level, and local config can refer to
that. E.g. "please run vim, which has been controlled at the system
level".
- I got zero traction, but there's some prior art.
- Taylor: We think of Git as special in this way. For "make", we
wouldn't ask this same question.
- Jrnieder: With "make", it's very clear to users that arbitrary
commands might be run, but users don't have that same expectation when
just browsing code.
- Taylor: We could create a mode that ignores repo config, and that
makes prompts safer. But we're inherently make-like.
- Jrnieder: That's obvious to us, but not to most users. I think we're
quite far from having Git's security model match users' mental model
and I think it's hard to change the behavior but would be even harder
to change users' mental model in this example.
- Jrnieder. I wish we could separate out "repo properties" from "actual
config": keep my user preferences separate from the things that Git
needs to run.
- Ævar: Emacs has solved this. Emacs can run arbitrary code for all
kinds of things, but it prompts users to approve the code first. We
could allowlist harmless config, and then only prompt users for
sketchy things. Taylor: This kind of allowlisting sounds impossible
though. Bmc: Can we do this just for core.repositoryformat and
extensions.-?
- (much spirited discussion, did not hear)
- JTan: If we want repositories to still be movable, how would we
maintain this allowlist?
- Ævar: There are ways to do this for just certain variables, or certain
variables in certain paths, etc. We have a lot of space to do the
right thing.
- Bmc: It's important to make this behavior configurable from the
command line.
- Ævar: I was experimenting with this because I wanted a way to have
config in-repo. It would be very useful even if we could only control
a subset of config
- Jrnieder: We already have some defense against hooks-and-config in
special cases e.g. uploadpack doesn't trust the local repo's hooks.
Suppose we have completely solved the problem of protecting against
those; are we comfortable with changing the threat model to encompass
normal commands in local repositories?
- Peff: I think the safest option is to just ignore the in-repo config
altogether. Johannes: But the unsafe thing isn't parsing the repo,
it's executing code. We could just shift the boundary to "don't
execute code outside of safe.directory".
prev parent reply other threads:[~2022-09-29 19:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-29 19:17 Notes from the Git Contributor's Summit, 2022 Taylor Blau
2022-09-29 19:19 ` [TOPIC 1/8] Bundle URIs Taylor Blau
2022-09-29 19:19 ` [TOPIC 2/8] State of SHA-256 transition Taylor Blau
2022-09-29 19:20 ` [TOPIC 3/8] Merge ORT timeline Taylor Blau
2022-09-29 19:20 ` [TOPIC 4/8] Commit `--filter`'s Taylor Blau
2022-09-29 19:21 ` [TOPIC 5/8] Server side merges and rebases Taylor Blau
2022-09-29 19:21 ` [TOPIC 6/8] State of sparsity work Taylor Blau
2022-09-29 19:21 ` [TOPIC 7/8] Speeding up the connectivity check Taylor Blau
2022-09-29 19:22 ` Taylor Blau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YzXwZQbM69eNJfm7@nand.local \
--to=me@ttaylorr.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).