Re: [PATCH v2 1/2] create_default_files(): don't set u+x bit on $GIT_DIR/config

[Torsten Bögershausen]

On 11/17/2014 02:40 AM, Eric Sunshine wrote:

On Sun, Nov 16, 2014 at 2:21 AM, Michael Haggerty  wrote:

Since time immemorial, the test of whether to set "core.filemode" has
been done by trying to toggle the u+x bit on $GIT_DIR/config and then
testing whether the change "took". It is somewhat odd to use the
config file for this test, but whatever.

The test code didn't set the u+x bit back to its original state
itself, instead relying on the subsequent call to git_config_set() to
re-write the config file with correct permissions.

But ever since

 daa22c6f8d config: preserve config file permissions on edits (2014-05-06)

git_config_set() copies the permissions from the old config file to
the new one. This is a good change in and of itself, but it interacts
badly with create_default_files()'s sloppiness, causing "git init" to
leave the executable bit set on $GIT_DIR/config.

So change create_default_files() to reset the permissions on
$GIT_DIR/config after its test.

Signed-off-by: Michael Haggerty 
---

Should this patch include a test in t1300 to ensure that this bug does
not resurface (and to prove that this patch indeed fixes it)?


  builtin/init-db.c | 1 +
  1 file changed, 1 insertion(+)

diff --git a/builtin/init-db.c b/builtin/init-db.c
index 56f85e2..4c8021d 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -255,6 +255,7 @@ static int create_default_files(const char *template_path)
 filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
 !lstat(path, &st2) &&
 st1.st_mode != st2.st_mode);
+   filemode &= !chmod(path, st1.st_mode);
 }
 git_config_set("core.filemode", filemode ? "true" : "false");

--

Sorry for the late reply, I actually had prepared a complete different patch
for a different problem, but it touches the very same lines of code.

(And we may want to add a
!chmod(path, st1.st_mode & ~S_IXUSR)
at the end of the operation)

There are systems when a file created with 666 have 766, and we
do not handle this situation yet.

Michael, if there is a chance that you integrate my small code changes 
in your patch ?


-

commit 3228bedef6d45bfaf8986b6367f9388738476345
Author: Torsten Bögershausen 
Date:   Sun Oct 19 00:15:00 2014 +0200

Improve the filemode trustability check

Some file systems do not fully support the executable bit:
a) The user executable bit is always 0
b) The user executable bit is always 1
c) Is similar to b):
   When a file is created with mode 0666 the file mode on disc is 766
   and the user executable bit is 1 even if it should be 0 like b)

   There are smbfs implementations where the file mode can be 
maintained

   locally and chmod -x changes the file mode from 0766 to 0666.
   When the file system is unmounted and remounted,
   the file mode is 0766 and executable bit is 1 again.

A typical example for a) is a VFAT drive mounted with -onoexec,
or cifs with -ofile_mode=0644.
b) is VFAT mounted with -oexec or cifs is mounted with -ofile_mode=0755

The behaviour described in c) has been observed when a Windows 
machine with

NTFS exports a share via smb (or afp) to Mac OS X.
(CIFS is an enhanced version of SMB
 The command to mount on the command line may differ,
 e.g mount.cifs under Linux or mount_smbfs under Mac OS X)

Case a) and b) are detected by the current code.
Case c) qualifies as "non trustable executable bit",
and core.filemode should be false by default.

Solution:
Detect when ".git/config" has the user executable bit set after
creat(".git/config", 0666) and set core.filemode to false.

diff --git a/builtin/init-db.c b/builtin/init-db.c
index 587a505..d3e4fb3 100644
--- a/builtin/init-db.c
+++ b/builtin/init-db.c
@@ -249,13 +249,11 @@ static int create_default_files(const char 
*template_path)

 strcpy(path + len, "config");

 /* Check filemode trustability */
-filemode = TEST_FILEMODE;
-if (TEST_FILEMODE && !lstat(path, &st1)) {
-struct stat st2;
-filemode = (!chmod(path, st1.st_mode ^ S_IXUSR) &&
-!lstat(path, &st2) &&
-st1.st_mode != st2.st_mode);
-}
+filemode = TEST_FILEMODE &&
+!lstat(path, &st1) &&!(st1.st_mode & S_IXUSR) &&
+!chmod(path, st1.st_mode | S_IXUSR) &&
+!lstat(path, &st1) && (st1.st_mode & S_IXUSR);
+
 git_config_set("core.filemode", filemode ? "true" : "false");

 if (is_bare_repository())

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Michael Haggerty]

On 11/16/2014 09:06 AM, Johannes Sixt wrote:
> Am 16.11.2014 um 08:21 schrieb Michael Haggerty:
>> @@ -559,9 +562,21 @@ int cmd_config(int argc, const char **argv, const char 
>> *prefix)
>>  if (given_config_source.blob)
>>  die("editing blobs is not supported");
>>  git_config(git_default_config, NULL);
>> -launch_editor(given_config_source.file ?
>> -  given_config_source.file : git_path("config"),
>> -  NULL, NULL);
>> +config_file = xstrdup(given_config_source.file ?
>> +  given_config_source.file : 
>> git_path("config"));
>> +launch_editor(config_file, NULL, NULL);
>> +
>> +/*
>> + * In git 2.1, there was a bug in "git init" that left
>> + * the u+x bit set on the config file. To clean up any
>> + * repositories affected by that bug, and just because
>> + * it doesn't make sense for a config file to be
>> + * executable anyway, clear any executable bits from
>> + * the file (on a "best effort" basis):
>> + */
>> +if (!lstat(config_file, &st) && (st.st_mode & 0111))
> 
> At this point we cannot be sure that config_file is a regular file, can
> we? It could also be a symbolic link. Wouldn't plain stat() be more
> correct then?

You make a good point. But I'm a little nervous about following symlinks
and changing permissions on some distant file. Also, the bug that we are
trying clean up after would not have created a symlink in this place, so
I think the cleanup is not so important if "config" is a symlink.

So I suggest that we stick with lstat(), but add S_ISREG(st.st_mode) to
the && chain above. Does that sound reasonable?

>> +chmod(config_file, st.st_mode & 07666);
>> +free(config_file);
>>  }
>>  else if (actions == ACTION_SET) {
>>  int ret;

Michael

-- 
Michael Haggerty
mhag...@alum.mit.edu

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2/2] config: clear the executable bits (if any) on $GIT_DIR/config

[Michael Haggerty]

On 11/16/2014 07:49 PM, Junio C Hamano wrote:
> Michael Haggerty  writes:
> 
>> There is no reason for $GIT_DIR/config to be executable, plus this
>> change will help clean up repositories affected by the bug that was
>> fixed by the previous commit.
> 
> I do not think we want to do this.
> 
> It is a welcome bugfix to create $GIT_DIR/config without executable
> bit when and only when we create it.  It is very much in line with
> "There is no reason for $GIT_DIR/config to be executable"---we do
> not need to make it executable ourselves, so we shouldn't, but we
> did which was a bug we want to fix in patch 1/2 you posted.
> 
> But with the "preserve existing permissions" fix we did earlier, the
> end users are now allowed to flip the executable bit on for their
> own purpose, and dropping it without knowing why they are doing so
> is simply rude.  And honestly, Git do *not* even want to know why
> the users want to flip the bit.
> 
> So I would suggest not to spend any cycle or any code complexity to
> "repair" existing repositories.  Having that bit on does not hurt
> anybody.  Those who found it curious can flip that bit off and then
> Git with "preserve existing permissions" fix will keep that bit off
> from then on.

I disagree. The point of "preserve existing permissions" was to allow
people to make their config files more readable/writable than the
default, with the main use case being to help users who want to hide
secret information in their config files.

I think it is really far-fetched to imagine that anybody made his config
file executable on purpose. Whereas we are *sure* that we have created
lots of repositories with config files that were set executable by accident.

Let's redefine the "feature" that was added in 2.1 from "preserve
existing permissions" to "preserve existing read/write permissions" and
thereby help people clean up the mess we made.

That being said, I still believe that executable config files are not a
significant risk in practice, so I'm not going to lose sleep about it
either way.

Michael

-- 
Michael Haggerty
mhag...@alum.mit.edu

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1] gitk: po/ru.po russian translation typo fixed

[Alex Kuleshov]

Hello Max and Paul,

thank you for your feedback, so what's must be my next workflow? Resend
patch with "Reviewed-By:..." or somethine else?

--
Best regards.
0xAX
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html