Page MenuHomePhabricator
Create Task
Maniphest T325128

git: detected dubious ownership in repository at '/srv/mediawiki-staging'
Closed, ResolvedPublic
Actions

Description

https://integration.wikimedia.org/ci/job/beta-code-update-eqiad/ worked at 6:04 UTC and broke at 6:13 UTC

Started by timer
Running as SYSTEM
Building remotely on deployment-deploy03 (BetaClusterBastion) in workspace /srv/jenkins/home/jenkins-deploy/workspace/beta-code-update-eqiad
No emails were triggered.
[beta-code-update-eqiad] $ /bin/bash -xe /tmp/jenkins3520384640553993295.sh
+ /usr/bin/scap prep auto
07:03:08 Started scap prep auto
07:03:08 Update https://gerrit.wikimedia.org/r/operations/mediawiki-config (master branch) in /srv/mediawiki-staging
07:03:08 Finished scap prep auto (duration: 00m 00s)
07:03:08 prep failed: <FailedCommand> Command 'git remote add origin https://gerrit.wikimedia.org/r/operations/mediawiki-config' failed with exit code 128;
stdout:

stderr:
fatal: detected dubious ownership in repository at '/srv/mediawiki-staging'
To add an exception for this directory, call:

	git config --global --add safe.directory /srv/mediawiki-staging

Build step 'Execute shell' marked build as failure
IRC notifier plugin: Sending notification to: #wikimedia-releng
No emails were triggered.
Finished: FAILURE

The beta cluster has the same setup has production which will thus be broken as soon as git is updated. On the deployment server:

deploy1002$ ls -lrdta /srv/mediawiki-staging
drwxrwsr-x 22 mwdeploy deployment 4096 Dec 13 09:10 /srv/mediawiki-staging/

Details

SubjectRepoBranchLines +/-
scap: disable git safe.directoryoperations/puppetproduction+19 -0
Customize query in gerrit
TitleReferenceAuthorSource BranchDest Branch
Disable git safe.directory in deployment imagerepos/releng/scap3-dev!12hashardisable-git-safe-directorymaster
Customize query in GitLab

Related Objects

Event Timeline

hashar created this task.Dec 14 2022, 7:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2022, 7:22 AM
hashar added a comment.Dec 14 2022, 7:27 AM

I have looked at Gerrit and nothing significant merged at the time. Eventually I found out git package has been upgraded on the machine:

/var/log/apt/history.log
Start-Date: 2022-12-14  06:06:57
Commandline: /usr/bin/unattended-upgrade
Upgrade: git:amd64 (1:2.20.1-2+deb10u4, 1:2.20.1-2+deb10u5)
End-Date: 2022-12-14  06:07:01

Start-Date: 2022-12-14  06:07:02
Commandline: /usr/bin/unattended-upgrade
Upgrade: git-man:amd64 (1:2.20.1-2+deb10u4, 1:2.20.1-2+deb10u5)
End-Date: 2022-12-14  06:07:07

/srv/mediawiki-staging has a setuid bit:

      v
drwxrwsr-x 22 mwdeploy wikidev 4096 Dec 13 09:13 /srv/mediawiki-staging/
      ^
git (1:2.20.1-2+deb10u5) buster-security; urgency=high
  
  * Non-maintainer upload by the LTS Security Team.
  * CVE-2022-24765: Git not checking the ownership of directories in a
    local multi-user system when running commands specified in the local
    repository configuration.  This allows the owner of the repository to
    cause arbitrary commands to be executed by other users who access the
    repository.
  * The above introduces new 'safe.directory' checks which may cause
    regressions: allow opt-out of such checks with 'safe.directory=*'
  * CVE-2022-29187: an unsuspecting user could still be affected by the
    issue reported in CVE-2022-24765, for example when navigating as root
    into a shared tmp directory that is owned by them, but where an
    attacker could create a git repository.
  * CVE-2022-39253: exposure of sensitive information to a malicious
    actor. When performing a local clone (where the source and target of
    the clone are on the same volume), Git copies the contents of the
    source's `$GIT_DIR/objects` directory into the destination by either
    creating hardlinks to the source contents, or copying them (if
    hardlinks are disabled via `--no-hardlinks`). A malicious actor could
    convince a victim to clone a repository with a symbolic link pointing
    at sensitive information on the victim's machine.
  * CVE-2022-39260: `git shell` improperly uses an `int` to represent the
    number of entries in the array, allowing a malicious actor to
    intentionally overflow the return value, leading to arbitrary heap
    writes. Because the resulting array is then passed to `execv()`, it is
    possible to leverage this attack to gain remote code execution on a
    victim machine.

 -- Sylvain Beucler <beuc@debian.org>  Tue, 13 Dec 2022 15:14:23 +0100
hashar renamed this task from beta-code-update-eqiad: to git: detected dubious ownership in repository at '/srv/mediawiki-staging'.Dec 14 2022, 7:42 AM
hashar triaged this task as High priority.
hashar added a project: serviceops.
hashar updated the task description. (Show Details)
hashar added a comment.Dec 14 2022, 7:52 AM

Another note is we have the git repository flagged as shared between user by setting core.sharedRepository=group. In this case, I argue the security check should still allow command if a user is a member of the group owning the .git directory.

The new safe.directory setting does not accept any wildcard setting. Since we can execute git commands in any repository below /srv/mediawiki-staging I am guessing the easiest is to disable that feature as instructed.

hashar claimed this task.Dec 14 2022, 7:58 AM
gerritbot added a comment.Dec 14 2022, 8:07 AM

Change 868002 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] scap: disable git safe.directory

https://gerrit.wikimedia.org/r/868002

gerritbot added a project: Patch-For-Review.Dec 14 2022, 8:07 AM
Stashbot added a comment.Dec 14 2022, 8:43 AM

Mentioned in SAL (#wikimedia-releng) [2022-12-14T08:43:11Z] <hashar> deployment-prep: fixed beta-code-update-eqiad Jenkins job by cherry-picking https://gerrit.wikimedia.org/r/c/operations/puppet/+/868002 | T325128

Krinkle awarded a token.Dec 14 2022, 12:33 PM
Southparkfan subscribed.Dec 14 2022, 5:44 PM

Standalone puppetmasters are also affected by this Git update:

$ git push -f project_puppetmaster HEAD:production
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: fatal: detected dubious ownership in repository at '/var/lib/git/operations/puppet'
remote: To add an exception for this directory, call:
remote: 
remote: 	git config --global --add safe.directory /var/lib/git/operations/puppet
hashar added a comment.Dec 14 2022, 6:03 PM

For WMCS Standalone puppetmasters I am not sure how it should behave.

I have discovered this morning the files are owned by gitpuppet and up until now I have always use root (using: sudo su -cd /var/lib/git/operations/puppetgit ...).

If we instead use sudo -u gitpuppet git ... that would fix it (local files would probably require some chown -R gitpuppet):

hashar@integration-puppetmaster-02:/var/lib/git/operations/puppet$ sudo -u gitpuppet git log -n1 --oneline
b0f80ae195 (HEAD -> production, tag: snapshot-202212132333, origin/production, origin/HEAD) netmon: Remove the netmon1002 instance as passive node

Though surely we might want to find out a way to let people know about the gitpuppet user and use sudo -u gitpuppet instead of sudo.

taavi subscribed.Dec 14 2022, 6:08 PM

Sort of related for standalone puppetmasters: T152059: role::puppetmaster::standalone clones Git repositories as gitpuppet, git-sync-upstream overwrites them as root

Krinkle mentioned this in T325253: git fatal: detected dubious ownership in repository at '/srv/codesearch'.Dec 14 2022, 11:05 PM
aborrero mentioned this in T325280: cloud puppetmasters fail to run git-sync-upstream.Dec 15 2022, 12:19 PM
MoritzMuehlenhoff subscribed.Dec 15 2022, 12:20 PM
akosiaris edited projects, added SRE; removed serviceops.Dec 20 2022, 11:48 AM
akosiaris subscribed.

Switching from serviceops to SRE for greater visibility within the SRE team, this could break more things.

hashar removed hashar as the assignee of this task.Jan 3 2023, 12:25 PM

I have cherry-picked https://gerrit.wikimedia.org/r/868002 to fix the Beta-Cluster-Infrastructure automatic deployment. It would be needed for production as a prerequisite to the git upgrade as well as some extra fix needed for the puppet master.

I am unassigning myself since the immediate breakage got fixed and there is a bit more work to do (deal with puppetmaster and actually upgrade git fleet wide).

MarcoAurelio mentioned this in T326469: fatal: detected dubious ownership in repository at '/mnt/nfs/labstore-secondary-tools-project/pywikibot/public_html/core'.Jan 7 2023, 1:13 PM
Stashbot added a comment.Jan 27 2023, 8:39 AM

Mentioned in SAL (#wikimedia-releng) [2023-01-27T08:39:11Z] <hashar> devtools: fix git security warning on deployment server by cherry-picking https://gerrit.wikimedia.org/r/c/operations/puppet/+/868002 on the puppet master | T325128

gerritbot added a comment.Jan 30 2023, 5:54 PM

hashar opened https://gitlab.wikimedia.org/repos/releng/scap3-dev/-/merge_requests/12

Disable git safe.directory in deployment image

Lucas_Werkmeister_WMDE mentioned this in T328441: git fatal: detected dubious ownership in repository at '/srv/jenkins/workspace/wikidata-query-builder-build/src'.Jan 31 2023, 1:41 PM
gerritbot added a comment.Feb 1 2023, 11:52 AM

jnuche merged https://gitlab.wikimedia.org/repos/releng/scap3-dev/-/merge_requests/12

Disable git safe.directory in deployment image

hashar moved this task from INBOX to Radar on the Release-Engineering-Team board.Feb 1 2023, 5:36 PM
hashar edited projects, added Release-Engineering-Team (Radar); removed Release-Engineering-Team.
Jdrewniak mentioned this in T328924: wikimedia-portals-build permission error: "dubious ownership in repository".Feb 6 2023, 2:53 PM
hashar mentioned this in T330107: start-rt-test.sh doesn't report exit codes.Feb 21 2023, 10:15 AM
hashar mentioned this in T330394: Scap issues with stat hosts.Feb 23 2023, 1:43 PM

The same issue occurs on the deployment target as reported by T330394:

nfraison@stat1008:/srv/deployment/analytics/hdfs-tools/deploy$ sudo /usr/bin/git -C /srv/deployment/analytics/hdfs-tools/deploy tag --points-at HEAD
fatal: detected dubious ownership in repository at '/srv/deployment/analytics/hdfs-tools/deploy-cache/revs/0c6e3ca61c094338d821ae7c73e244f1abb5b8bc'
To add an exception for this directory, call:

	git config --global --add safe.directory /srv/deployment/analytics/hdfs-tools/deploy-cache/revs/0c6e3ca61c094338d821ae7c73e244f1abb5b8bc
MoritzMuehlenhoff added a comment.Feb 23 2023, 4:16 PM
In T325128#8640737, @hashar wrote:

The same issue occurs on the deployment target as reported by T330394:

nfraison@stat1008:/srv/deployment/analytics/hdfs-tools/deploy$ sudo /usr/bin/git -C /srv/deployment/analytics/hdfs-tools/deploy tag --points-at HEAD
fatal: detected dubious ownership in repository at '/srv/deployment/analytics/hdfs-tools/deploy-cache/revs/0c6e3ca61c094338d821ae7c73e244f1abb5b8bc'
To add an exception for this directory, call:

	git config --global --add safe.directory /srv/deployment/analytics/hdfs-tools/deploy-cache/revs/0c6e3ca61c094338d821ae7c73e244f1abb5b8bc

And JFTR, got fixed with https://gerrit.wikimedia.org/r/c/operations/puppet/+/891555

MatthewVernon subscribed.Mar 6 2023, 10:12 AM

@hashar are there still things that need doing on this task? It looks like
https://integration.wikimedia.org/ci/job/beta-code-update-eqiad/ is now clear.

[asking because this is on the clinic duty dashboard]

hashar added a comment.Mar 7 2023, 11:12 AM
In T325128#8667625, @MatthewVernon wrote:

@hashar are there still things that need doing on this task? It looks like
https://integration.wikimedia.org/ci/job/beta-code-update-eqiad/ is now clear.

[asking because this is on the clinic duty dashboard]

The immediate issue got addressed by cherry picking to beta cluster the patch https://gerrit.wikimedia.org/r/c/operations/puppet/+/868002/ . It globally set the git config safe.directory='*' then I don't think we should set it (I commented on the patch), at least not wide open and we also have use case of executing commands as root which sounds scary if one adds some malicious hook to the git repos.

The issue also happened (and will happen) on a wide range of different systems and triggers as soon as the git package is upgraded on the hosts (typically if one reimage a server and uncarefully upgrade the package). We already had several tasks filed and since this one got filed first, I guess it can be reused as a tracking / parent task.

hashar added a subscriber: nfraison.Mar 8 2023, 9:18 AM

Part of the fix for the deployment servers and scap is https://gerrit.wikimedia.org/r/c/operations/puppet/+/891555 by @nfraison which is to have Puppet to run the git command as the deployment user rather than root. T330394#8640706 as details about implementing and testing the fix.

gerritbot added a comment.Mar 10 2023, 7:14 AM

Change 868002 abandoned by Hashar:

[operations/puppet@production] scap: disable git safe.directory

Reason:

I have removed this patch from the deployment-prep Puppet master. The proper fix for the deployments server has been made by Icb3e1d3a98e66ec132411b4c0ade56347bc6ce48 via T330394

https://gerrit.wikimedia.org/r/868002

hashar added a comment.Mar 10 2023, 7:16 AM

On deployment-deploy03.deployment-prep.eqiad1.wikimedia.cloud:

Notice: /Stage[main]/Git::Globalconfig/File[/etc/gitconfig.d/10-disable_safe_directory.gitconfig]/ensure: removed

The scap fix has been done in T330394. For production we still have to update git fleet wide and some bits have been done with @MoritzMuehlenhoff

Maintenance_bot removed a project: Patch-For-Review.Mar 10 2023, 7:30 AM
hashar closed this task as Resolved.May 2 2023, 5:02 AM
hashar claimed this task.

For other use case, looks like that will be done as part {T335354}

I am closing this one since it was primarily for the Beta-Cluster-Infrastructure

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL