Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{CI} Add /azure-cli as safe.directory in docker container #22049

Merged
merged 1 commit into from
Apr 13, 2022
Merged

{CI} Add /azure-cli as safe.directory in docker container #22049

merged 1 commit into from
Apr 13, 2022

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Apr 13, 2022
edited
Loading

Description

Git released a fix for CVE-2022-24765 today, making it impossible to run git commands in a directory that is not owned by the current user:

This fix was backported to 2.25.1-1ubuntu3.3 on Ubuntu Focal (https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.3), causing CI failure:

https://dev.azure.com/azure-sdk/public/_build/results?buildId=1501323&view=logs&j=6a6a2ac0-ff7f-5678-6bf3-3c1acb42be6f&t=9fdc6347-bbbe-562a-7659-31ca5019fc37

git checkout src
fatal: unsafe repository ('/azure-cli' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /azure-cli

As it is expected for mounted /azure-cli to have different owner than the current docker container's user, this PR adds /azure-cli as safe.directory.

Other Microsoft developers are taking the same approach: https://github.com/microsoft/openocd/commit/16d4838818c5a67cb7739d948582c5e63095ceed (found by https://github.com/search?q=org%3Amicrosoft+safe.directory+git+config&type=code)

@ghost ghost added Auto-Assign Auto assign by bot CI CI labels Apr 13, 2022
@ghost ghost requested a review from yonzhan April 13, 2022 07:49
@ghost ghost assigned wangzelin007 Apr 13, 2022
@ghost ghost added this to the Apr 2022 (2022-04-26) milestone Apr 13, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 13, 2022

CI

@jiasli
Copy link
Member Author

jiasli commented Apr 13, 2022

The error can be easily reproduced locally on Ubuntu WSL:

$ docker run -it --rm -v /home/user1/azure-cli:/azure-cli ubuntu

# stat azure-cli
  File: azure-cli
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 830h/2096d      Inode: 814         Links: 13
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2022-04-13 07:14:02.704497892 +0000
Modify: 2022-03-31 10:39:03.051462810 +0000
Change: 2022-03-31 10:39:03.051462810 +0000
 Birth: -

# id
uid=0(root) gid=0(root) groups=0(root)

# apt update; apt install git

# cd azure-cli

# git status
fatal: unsafe repository ('/azure-cli' is owned by someone else)
To add an exception for this directory, call:

        git config --global --add safe.directory /azure-cli

@jiasli jiasli merged commit b722aeb into Azure:dev Apr 13, 2022
@jiasli jiasli deleted the git-cve branch April 13, 2022 11:54
jiasli added a commit to jiasli/azure-cli that referenced this pull request Apr 13, 2022
@jiasli
{CI} Add /azure-cli as safe.directory in docker container (Azure#…
d0e00a2 
…22049)

(cherry picked from commit b722aeb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yonzhan yonzhan yonzhan approved these changes

@wangzelin007 wangzelin007 wangzelin007 approved these changes

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@jsntcy jsntcy jsntcy approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

Assignees

@wangzelin007 wangzelin007

Labels
Auto-Assign Auto assign by bot CI CI
Projects
None yet
Milestone
Apr 2022 (2022-04-26)
Development

Successfully merging this pull request may close these issues.
6 participants
@jiasli @yonzhan @evelyn-ys @jsntcy @zhoxing-ms @wangzelin007