←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
349 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0.196s | source
Show context
Lockal ◴[08 Jul 25 19:35 UTC] No.44503273[source]
"trivial modification of an existing exploit"...

Why git does not use Landlock? I know it is Linux-only, but why? "git clone" should only have r/o access to config directory and r/w to clone directory. And no subprocesses. In every exploit demo: "Yep, <s>it goes to a square hole</s> it launches a calculator".

replies(3): >>44503412 #>>44504345 #>>44506823 #
TheDong ◴[08 Jul 25 19:51 UTC] No.44503412[source]
> no subprocesses

I guess you're okay with breaking all git hooks, including post-checkout, because those are subprocesses as a feature.

You can always run your git operations in a container with seccomp or such if you're not using any of the many features that it breaks

replies(1): >>44503646 #
Spivak ◴[08 Jul 25 20:14 UTC] No.44503646[source]
This would also break custom commands. Which if you don't know about it, is a pretty cool feature.

Drop a git-something executable in your path and you can execute it as git something.

replies(1): >>44503677 #
byearthithatius ◴[08 Jul 25 20:18 UTC] No.44503677[source]
Why is this helpful? Just add the executable itself to path and execute it with "something" instead of "git something". Why are we making git an intermediary ? I am kind of stupid and this is genuine.
replies(6): >>44503817 #>>44503825 #>>44503854 #>>44504029 #>>44504157 #>>44504231 #
1. mkesper ◴[08 Jul 25 20:35 UTC] No.44503825[source]
Because it's thematically a part of a git workflow.