Skip to content

{CI} Add /azure-cli as safe.directory in docker container#22049

Merged
jiasli merged 1 commit intoAzure:devfrom
jiasli:git-cve
Apr 13, 2022
Merged

{CI} Add /azure-cli as safe.directory in docker container#22049
jiasli merged 1 commit intoAzure:devfrom
jiasli:git-cve

Conversation

@jiasli
Copy link
Copy Markdown
Member

@jiasli jiasli commented Apr 13, 2022
edited
Loading

Description

Git released a fix for CVE-2022-24765 today, making it impossible to run git commands in a directory that is not owned by the current user:

This fix was backported to 2.25.1-1ubuntu3.3 on Ubuntu Focal (https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.3), causing CI failure:

https://dev.azure.com/azure-sdk/public/_build/results?buildId=1501323&view=logs&j=6a6a2ac0-ff7f-5678-6bf3-3c1acb42be6f&t=9fdc6347-bbbe-562a-7659-31ca5019fc37

git checkout src
fatal: unsafe repository ('/azure-cli' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /azure-cli

As it is expected for mounted /azure-cli to have different owner than the current docker container's user, this PR adds /azure-cli as safe.directory.

Other Microsoft developers are taking the same approach: https://github.com/microsoft/openocd/commit/16d4838818c5a67cb7739d948582c5e63095ceed (found by https://github.com/search?q=org%3Amicrosoft+safe.directory+git+config&type=code)

@ghost ghost added Auto-Assign Auto assign by bot CI CI labels Apr 13, 2022
@ghost ghost requested a review from yonzhan April 13, 2022 07:49
@ghost ghost assigned wangzelin007 Apr 13, 2022
@ghost ghost added this to the Apr 2022 (2022-04-26) milestone Apr 13, 2022
@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Apr 13, 2022

CI

@jiasli
Copy link
Copy Markdown
Member Author

jiasli commented Apr 13, 2022

The error can be easily reproduced locally on Ubuntu WSL:

$ docker run -it --rm -v /home/user1/azure-cli:/azure-cli ubuntu

# stat azure-cli
  File: azure-cli
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 830h/2096d      Inode: 814         Links: 13
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2022-04-13 07:14:02.704497892 +0000
Modify: 2022-03-31 10:39:03.051462810 +0000
Change: 2022-03-31 10:39:03.051462810 +0000
 Birth: -

# id
uid=0(root) gid=0(root) groups=0(root)

# apt update; apt install git

# cd azure-cli

# git status
fatal: unsafe repository ('/azure-cli' is owned by someone else)
To add an exception for this directory, call:

        git config --global --add safe.directory /azure-cli

@jiasli jiasli merged commit b722aeb into Azure:dev Apr 13, 2022
@jiasli jiasli deleted the git-cve branch April 13, 2022 11:54
jiasli added a commit to jiasli/azure-cli that referenced this pull request Apr 13, 2022
@jiasli
{CI} Add /azure-cli as safe.directory in docker container (Azure#…
d0e00a2 
…22049)

(cherry picked from commit b722aeb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@jsntcy jsntcy jsntcy approved these changes

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@wangzelin007 wangzelin007 wangzelin007 approved these changes

@yonzhan yonzhan yonzhan approved these changes

@kairu-ms kairu-ms Awaiting requested review from kairu-ms

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

Assignees

@wangzelin007 wangzelin007

Labels

Auto-Assign Auto assign by bot CI CI

Projects

None yet

Milestone

Apr 2022 (2022-04-26)

Development

Successfully merging this pull request may close these issues.

6 participants

@jiasli @yonzhan @evelyn-ys @jsntcy @zhoxing-ms @wangzelin007