From cdf7368c31ee60db3a21fed152c41e564c90e997 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Fri, 3 Jun 2022 12:04:47 +0000 Subject: [PATCH] new deploy: 2022-06-03T12:04:47+00:00 --- blog/atom.xml | 2 +- blog/unsafe-repository-is-owned-by-someone-else/index.html | 2 +- tags/gitea/atom.xml | 2 +- tags/hostea/atom.xml | 2 +- tags/problem/atom.xml | 2 +- tags/troubleshoot/atom.xml | 2 +- tags/upgrade/atom.xml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/blog/atom.xml b/blog/atom.xml index d17c52a..5325507 100644 --- a/blog/atom.xml +++ b/blog/atom.xml @@ -139,7 +139,7 @@ <p>It is safe to <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs">disable the security check in Gitea</a>. It is not vulnerable to <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong> because it calls the git CLI <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/command.go#L160">after changing its working directory</a> to be the git repository targeted by the command (for instance <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/diff.go#L38-L45">diff</a>) or a temporary directory. Therefore <strong>it will not explore the parent directories looking for a git configuration file</strong>.</p> <p>The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and <strong>not because a parent directory is owned by an unexpected user</strong>. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong>.</p> <p>It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.</p> -<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19871">versions &gt;= 1.16.9</a>.</p> +<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19876">versions &gt;= 1.16.9</a>.</p> diff --git a/blog/unsafe-repository-is-owned-by-someone-else/index.html b/blog/unsafe-repository-is-owned-by-someone-else/index.html index cd57268..bf539c8 100644 --- a/blog/unsafe-repository-is-owned-by-someone-else/index.html +++ b/blog/unsafe-repository-is-owned-by-someone-else/index.html @@ -251,7 +251,7 @@

It is safe to disable the security check in Gitea. It is not vulnerable to CVE-2022-24765 because it calls the git CLI after changing its working directory to be the git repository targeted by the command (for instance diff) or a temporary directory. Therefore it will not explore the parent directories looking for a git configuration file.

The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and not because a parent directory is owned by an unexpected user. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in CVE-2022-24765.

It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.

-

Gitea runs under a dedicated user, either when installed from binary or from docker and modifies the global git configuration depending on the git version at initialization time. Fixing the problem can therefore be done by disabling the security check in the global git config file at initialization time. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with versions >= 1.16.9.

+

Gitea runs under a dedicated user, either when installed from binary or from docker and modifies the global git configuration depending on the git version at initialization time. Fixing the problem can therefore be done by disabling the security check in the global git config file at initialization time. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with versions >= 1.16.9.


diff --git a/tags/gitea/atom.xml b/tags/gitea/atom.xml index 8bbe554..96ebf1a 100644 --- a/tags/gitea/atom.xml +++ b/tags/gitea/atom.xml @@ -139,7 +139,7 @@ <p>It is safe to <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs">disable the security check in Gitea</a>. It is not vulnerable to <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong> because it calls the git CLI <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/command.go#L160">after changing its working directory</a> to be the git repository targeted by the command (for instance <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/diff.go#L38-L45">diff</a>) or a temporary directory. Therefore <strong>it will not explore the parent directories looking for a git configuration file</strong>.</p> <p>The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and <strong>not because a parent directory is owned by an unexpected user</strong>. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong>.</p> <p>It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.</p> -<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19871">versions &gt;= 1.16.9</a>.</p> +<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19876">versions &gt;= 1.16.9</a>.</p> diff --git a/tags/hostea/atom.xml b/tags/hostea/atom.xml index cc108f8..4f88027 100644 --- a/tags/hostea/atom.xml +++ b/tags/hostea/atom.xml @@ -139,7 +139,7 @@ <p>It is safe to <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs">disable the security check in Gitea</a>. It is not vulnerable to <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong> because it calls the git CLI <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/command.go#L160">after changing its working directory</a> to be the git repository targeted by the command (for instance <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/diff.go#L38-L45">diff</a>) or a temporary directory. Therefore <strong>it will not explore the parent directories looking for a git configuration file</strong>.</p> <p>The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and <strong>not because a parent directory is owned by an unexpected user</strong>. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong>.</p> <p>It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.</p> -<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19871">versions &gt;= 1.16.9</a>.</p> +<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19876">versions &gt;= 1.16.9</a>.</p> diff --git a/tags/problem/atom.xml b/tags/problem/atom.xml index 01b729d..4b50992 100644 --- a/tags/problem/atom.xml +++ b/tags/problem/atom.xml @@ -139,7 +139,7 @@ <p>It is safe to <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs">disable the security check in Gitea</a>. It is not vulnerable to <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong> because it calls the git CLI <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/command.go#L160">after changing its working directory</a> to be the git repository targeted by the command (for instance <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/diff.go#L38-L45">diff</a>) or a temporary directory. Therefore <strong>it will not explore the parent directories looking for a git configuration file</strong>.</p> <p>The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and <strong>not because a parent directory is owned by an unexpected user</strong>. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong>.</p> <p>It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.</p> -<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19871">versions &gt;= 1.16.9</a>.</p> +<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19876">versions &gt;= 1.16.9</a>.</p> diff --git a/tags/troubleshoot/atom.xml b/tags/troubleshoot/atom.xml index e7aa9cc..941cad4 100644 --- a/tags/troubleshoot/atom.xml +++ b/tags/troubleshoot/atom.xml @@ -139,7 +139,7 @@ <p>It is safe to <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs">disable the security check in Gitea</a>. It is not vulnerable to <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong> because it calls the git CLI <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/command.go#L160">after changing its working directory</a> to be the git repository targeted by the command (for instance <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/diff.go#L38-L45">diff</a>) or a temporary directory. Therefore <strong>it will not explore the parent directories looking for a git configuration file</strong>.</p> <p>The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and <strong>not because a parent directory is owned by an unexpected user</strong>. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong>.</p> <p>It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.</p> -<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19871">versions &gt;= 1.16.9</a>.</p> +<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19876">versions &gt;= 1.16.9</a>.</p> diff --git a/tags/upgrade/atom.xml b/tags/upgrade/atom.xml index 9750e38..f0dbde0 100644 --- a/tags/upgrade/atom.xml +++ b/tags/upgrade/atom.xml @@ -71,7 +71,7 @@ <p>It is safe to <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs">disable the security check in Gitea</a>. It is not vulnerable to <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong> because it calls the git CLI <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/command.go#L160">after changing its working directory</a> to be the git repository targeted by the command (for instance <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/diff.go#L38-L45">diff</a>) or a temporary directory. Therefore <strong>it will not explore the parent directories looking for a git configuration file</strong>.</p> <p>The security check is triggered because the repository is owned by an unexpected user (root instead of git typically) and <strong>not because a parent directory is owned by an unexpected user</strong>. This, in itself, is a problem worth investigating but it is unrelated and was revealed by the newer security check of git even though it does not match the threat described in <strong><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2">CVE-2022-24765</a></strong>.</p> <p>It appears non trivial to enforce a consistent ownership of files and directories, either within docker or outside docker when networked file systems are involved. The Gitea server was not troubled by this inconsistency so far because the permissions allow it to write and read where expected, regardless of the owner. It is not worth looking into but it is ancient and unrelated.</p> -<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19871">versions &gt;= 1.16.9</a>.</p> +<p>Gitea runs under a dedicated user, either when installed <a href="https://docs.gitea.io/en-us/install-from-binary/#recommended-server-configuration">from binary</a> or from <a href="https://docs.gitea.io/en-us/install-with-docker/">docker</a> and <a href="https://github.com/go-gitea/gitea/blob/main/modules/git/git.go#L196-L207">modifies the global git configuration</a> depending on the git version at initialization time. Fixing the problem can therefore be done by <a href="https://lab.forgefriends.org/forgefriends/forgefriends/-/merge_requests/50/diffs#bcd72ff867cbd1ddd5b6518c3a05b5f1a6021286_209_209">disabling the security check in the global git config file at initialization time</a>. It also requires a minimum version of git 2.36 to be installed, which is the case for Gitea docker images with <a href="https://github.com/go-gitea/gitea/pull/19876">versions &gt;= 1.16.9</a>.</p>