Page MenuHomePhabricator

In Git, always "sudo" to the daemon user if a daemon user is configured
ClosedPublic

Authored by epriestley on Apr 13 2022, 6:23 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jul 24, 4:09 AM
Unknown Object (File)
Sun, Jul 24, 4:09 AM
Unknown Object (File)
Sun, Jul 24, 4:09 AM
Unknown Object (File)
Fri, Jul 22, 10:34 AM
Unknown Object (File)
Thu, Jul 14, 6:22 AM
Unknown Object (File)
Thu, Jul 14, 6:22 AM
Unknown Object (File)
Thu, Jul 14, 6:22 AM
Unknown Object (File)
Sat, Jul 9, 9:55 PM
Subscribers
None

Details

Summary

See T13673. Recent versions of Git (and older versions with backported security patches) now refuse to run Git commands if the top-level repository directory is not owned by the user running the command.

Currently, we "sudo" to that user only when performing writes, so upgrading Git can aggressively break a Phabricator system by knocking out essentially all Diffusion/Conduit read pathways.

As an immediate mitigation, just "sudo" in all cases where a daemon user is available. This fixes the problem, and seems like the least-bad approach. The downside is that the web user may theoretically have fewer privileges than the daemon user and this could reduce the number of layers an attacker armed with some other Git vulnerability might have to get through to do something dangerous (e.g., perform a write on a pathway where only reads are expected), but any separation between the web and daemon accounts is essentially theoretical and has never been enforced.

Test Plan

Applied patch to impacted Phacility shard, saw Diffusion work properly again.

Diff Detail

Repository
rP Phabricator
Branch
sudo1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 25640
Build 35468: arc lint + arc unit