←back to thread

Breaking Git with a carriage return and cloning RCE

(dgl.cx)
348 points dgl | 1 comments | 08 Jul 25 17:48 UTC | HN request time: 0s | source
Show context
Lockal ◴[08 Jul 25 19:35 UTC] No.44503273[source]
"trivial modification of an existing exploit"...

Why git does not use Landlock? I know it is Linux-only, but why? "git clone" should only have r/o access to config directory and r/w to clone directory. And no subprocesses. In every exploit demo: "Yep, <s>it goes to a square hole</s> it launches a calculator".

replies(3): >>44503412 #>>44504345 #>>44506823 #
TheDong ◴[08 Jul 25 19:51 UTC] No.44503412[source]
> no subprocesses

I guess you're okay with breaking all git hooks, including post-checkout, because those are subprocesses as a feature.

You can always run your git operations in a container with seccomp or such if you're not using any of the many features that it breaks

replies(1): >>44503646 #
Spivak ◴[08 Jul 25 20:14 UTC] No.44503646[source]
This would also break custom commands. Which if you don't know about it, is a pretty cool feature.

Drop a git-something executable in your path and you can execute it as git something.

replies(1): >>44503677 #
byearthithatius ◴[08 Jul 25 20:18 UTC] No.44503677[source]
Why is this helpful? Just add the executable itself to path and execute it with "something" instead of "git something". Why are we making git an intermediary ? I am kind of stupid and this is genuine.
replies(6): >>44503817 #>>44503825 #>>44503854 #>>44504029 #>>44504157 #>>44504231 #
1. sophacles ◴[08 Jul 25 21:30 UTC] No.44504231{3}[source]
Git itself uses this functionality. On my ubuntu system the path is `/usr/lib/git-core/` and in it you see all sorts of bins for "git commands", e.g `git-rm`, `git-mv`, `git-difftool`, etc. A lot of these are just links back to the git binary these days, but many features begin life as a standalone `git-$X` executable, and back in early git days much more functionality was split across executables. (The ones that are now links back to git are largely for scripting purposes, a lot of git "plugins" and various CI type scripts will call `git-mv` rather than trying to get quoting right around calling `git mv` for example.

It also helps make plugins easier to distribute. I don't want to have to type `git-x` sometimes and `git y` others, and if I want my plugin to get adoption, I really really don't want that. So things like git-lfs, git-annex, etc can easily be distributed, documented as a plugin, and generally be considered as "a part of git", rather than a separate command.

This pattern is also not unique to git. Other softwares have followed it, notably cargo.