Commit 7d3fd77d by Johannes Schindelin Committed by Edward Thomson

config: validate ownership of C:\ProgramData\Git\config before using it

When the VirtualStore feature is in effect, it is safe to let random
users write into C:\ProgramData because other users won't see those
files. This seemed to be the case when we introduced support for
C:\ProgramData\Git\config.

However, when that feature is not in effect (which seems to be the case
in newer Windows 10 versions), we'd rather not use those files unless
they come from a trusted source, such as an administrator.

This change imitates the strategy chosen by PowerShell's native OpenSSH
port to Windows regarding host key files: if a system file is owned
neither by an administrator, a system account, or the current user, it
is ignored.
parent 2882803c
...@@ -1111,8 +1111,15 @@ int git_config_find_system(git_buf *path) ...@@ -1111,8 +1111,15 @@ int git_config_find_system(git_buf *path)
int git_config_find_programdata(git_buf *path) int git_config_find_programdata(git_buf *path)
{ {
int ret;
git_buf_sanitize(path); git_buf_sanitize(path);
return git_sysdir_find_programdata_file(path, GIT_CONFIG_FILENAME_PROGRAMDATA); ret = git_sysdir_find_programdata_file(path,
GIT_CONFIG_FILENAME_PROGRAMDATA);
if (ret != GIT_OK)
return ret;
return git_path_validate_system_file_ownership(path->ptr);
} }
int git_config__global_location(git_buf *buf) int git_config__global_location(git_buf *buf)
......
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
#include "win32/w32_buffer.h" #include "win32/w32_buffer.h"
#include "win32/w32_util.h" #include "win32/w32_util.h"
#include "win32/version.h" #include "win32/version.h"
#include <AclAPI.h>
#else #else
#include <dirent.h> #include <dirent.h>
#endif #endif
...@@ -1933,3 +1934,79 @@ int git_path_is_dotgit_attributes(const char *name, size_t len) ...@@ -1933,3 +1934,79 @@ int git_path_is_dotgit_attributes(const char *name, size_t len)
return git_path_is_ntfs_dotgit_attributes(name, len); return git_path_is_ntfs_dotgit_attributes(name, len);
} }
int git_path_validate_system_file_ownership(const char *path)
{
#ifndef GIT_WIN32
GIT_UNUSED(path);
return GIT_OK;
#else
git_win32_path buf;
PSID owner_sid;
PSECURITY_DESCRIPTOR descriptor = NULL;
HANDLE token;
TOKEN_USER *info = NULL;
DWORD err, len;
int ret;
if (git_win32_path_from_utf8(buf, path) < 0)
return -1;
err = GetNamedSecurityInfoW(buf, SE_FILE_OBJECT,
OWNER_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION,
&owner_sid, NULL, NULL, NULL, &descriptor);
if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND) {
ret = GIT_ENOTFOUND;
goto cleanup;
}
if (err != ERROR_SUCCESS) {
giterr_set(GITERR_OS, "failed to get security information");
ret = GIT_ERROR;
goto cleanup;
}
if (!IsValidSid(owner_sid)) {
giterr_set(GITERR_INVALID, "programdata configuration file owner is unknown");
ret = GIT_ERROR;
goto cleanup;
}
if (IsWellKnownSid(owner_sid, WinBuiltinAdministratorsSid) ||
IsWellKnownSid(owner_sid, WinLocalSystemSid)) {
ret = GIT_OK;
goto cleanup;
}
/* Obtain current user's SID */
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token) &&
!GetTokenInformation(token, TokenUser, NULL, 0, &len)) {
info = git__malloc(len);
GITERR_CHECK_ALLOC(info);
if (!GetTokenInformation(token, TokenUser, info, len, &len)) {
git__free(info);
info = NULL;
}
}
/*
* If the file is owned by the same account that is running the current
* process, it's okay to read from that file.
*/
if (info && EqualSid(owner_sid, info->User.Sid))
ret = GIT_OK;
else {
giterr_set(GITERR_INVALID, "programdata configuration file owner is not valid");
ret = GIT_ERROR;
}
free(info);
cleanup:
if (descriptor)
LocalFree(descriptor);
return ret;
#endif
}
...@@ -717,4 +717,16 @@ extern int git_path_is_ntfs_dotgit_attributes(const char *name, size_t len); ...@@ -717,4 +717,16 @@ extern int git_path_is_ntfs_dotgit_attributes(const char *name, size_t len);
*/ */
extern int git_path_is_hfs_dotgit_attributes(const char *name, size_t len); extern int git_path_is_hfs_dotgit_attributes(const char *name, size_t len);
/*
* Validate a system file's ownership
*
* Verify that the file in question is owned by an administrator or system
* account, or at least by the current user.
*
* This function returns 0 if successful. If the file is not owned by any of
* these, or any other if there have been problems determining the file
* ownership, it returns -1.
*/
int git_path_validate_system_file_ownership(const char *path);
#endif #endif
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment