←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
348 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0s | source
Show context
Lockal ◴[08 Jul 25 19:35 UTC] No.44503273[source]
"trivial modification of an existing exploit"...

Why git does not use Landlock? I know it is Linux-only, but why? "git clone" should only have r/o access to config directory and r/w to clone directory. And no subprocesses. In every exploit demo: "Yep, <s>it goes to a square hole</s> it launches a calculator".

replies(3): >>44503412 #>>44504345 #>>44506823 #
TheDong ◴[08 Jul 25 19:51 UTC] No.44503412[source]
> no subprocesses

I guess you're okay with breaking all git hooks, including post-checkout, because those are subprocesses as a feature.

You can always run your git operations in a container with seccomp or such if you're not using any of the many features that it breaks

replies(1): >>44503646 #
Spivak ◴[08 Jul 25 20:14 UTC] No.44503646[source]
This would also break custom commands. Which if you don't know about it, is a pretty cool feature.

Drop a git-something executable in your path and you can execute it as git something.

replies(1): >>44503677 #
byearthithatius ◴[08 Jul 25 20:18 UTC] No.44503677[source]
Why is this helpful? Just add the executable itself to path and execute it with "something" instead of "git something". Why are we making git an intermediary ? I am kind of stupid and this is genuine.
replies(6): >>44503817 #>>44503825 #>>44503854 #>>44504029 #>>44504157 #>>44504231 #
1. joseda-hg ◴[08 Jul 25 20:38 UTC] No.44503854{3}[source]
Because if it's part of the repo, you don't depend on the host to take the extra step, which, if you're working from ephemeral instances or places where that step would have to be repeated, is a god send