Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838223 - sys-apps/portage with FEATURES="usersync" and >=dev-vcs/git-2.35.2 - git sync fails when repo is owned by non-root user - fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
Summary: sys-apps/portage with FEATURES="usersync" and >=dev-vcs/git-2.35.2 - git sync...
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard: git 2.35.2 masked for now which means...
Keywords: PullRequest
Depends on:
Blocks: CVE-2022-24765 837899
  Show dependency tree
 
Reported: 2022-04-13 15:50 UTC by Denis Lisov
Modified: 2022-10-16 18:27 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Lisov 2022-04-13 15:50:31 UTC 
Starting with dev-vcs/git-2.35.2, git refuses to run in a location where `.git` or one of the directories between the current directory and `.git` belong to a different user. This means that if `/var/db/repos/gentoo` is owned by `portage` (which, IIUC, is normal with FEATURES="usersync"), trying to run a git command there as root will fail.

Reproducible: Always

Steps to Reproduce:
1. Use the Gentoo main repository from `https://github.com/gentoo-mirror/gentoo/` with FEATURES="usersync". The repository will be `portage`-owned so that `portage` can update it.
2. Run `emerge --info` or `emerge --sync`
3. Observe the error message
Actual Results:  
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:
        git config --global --add safe.directory /var/db/repos/gentoo

Expected Results:  
All `git` calls should happen as the user owning the repository location just like syncing with `usersync` already does.
Comment 1 David Sardari 2022-04-13 16:41:29 UTC 
The change in dev-vcs/git-2.35.2 was introduced due to CVE:
https://bugs.gentoo.org/838127
Comment 2 David Sardari 2022-04-13 17:04:08 UTC 
This issue disables verification of repository HEAD's GnuPG signature:

➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +
➤ emerge --sync > /tmp/a.txt
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /var/db/repos/gentoo
➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +
➤ git config --system --add safe.directory /var/db/repos/gentoo
➤ emerge --sync > /tmp/b.txt
➤ diff --suppress-common-lines /tmp/a.txt /tmp/b.txt
4c4
Updating files: 100% (122032/122032), done.
---
Updating files: 100% (122032/122032), done.
6a7,8
>  * Trusted signature found on top commit
> === Sync completed for gentoo
38c40
< Action: sync for repo: gentoo, returned code = 1
---
> Action: sync for repo: gentoo, returned code = 0
Comment 3 David Sardari 2022-04-13 17:17:43 UTC 
Full a.txt content ("emerge --sync" with defaults):

>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://anongit.gentoo.org/git/repo/sync/gentoo.git .
Cloning into '.'...
Updating files: 100% (122032/122032), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                           [ ok ]

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2017............................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/1Q-2021.......
/var/db/repos/gentoo/profiles/updates/1Q-2022..
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020...........
/var/db/repos/gentoo/profiles/updates/2Q-2021........
/var/db/repos/gentoo/profiles/updates/2Q-2022.
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018..
/var/db/repos/gentoo/profiles/updates/3Q-2019......
/var/db/repos/gentoo/profiles/updates/3Q-2020..................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/3Q-2021..............
/var/db/repos/gentoo/profiles/updates/4Q-2017......
/var/db/repos/gentoo/profiles/updates/4Q-2018......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......
/var/db/repos/gentoo/profiles/updates/4Q-2020........
/var/db/repos/gentoo/profiles/updates/4Q-2021..........................................................................



Action: sync for repo: gentoo, returned code = 1
Comment 4 David Sardari 2022-04-13 17:18:30 UTC 
Full b.txt ("emerge --sync" with safe.directory setting):

>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://anongit.gentoo.org/git/repo/sync/gentoo.git .
Cloning into '.'...
Updating files: 100% (122032/122032), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                           [ ok ]
 * Trusted signature found on top commit
=== Sync completed for gentoo

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2017............................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/1Q-2021.......
/var/db/repos/gentoo/profiles/updates/1Q-2022..
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020...........
/var/db/repos/gentoo/profiles/updates/2Q-2021........
/var/db/repos/gentoo/profiles/updates/2Q-2022.
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018..
/var/db/repos/gentoo/profiles/updates/3Q-2019......
/var/db/repos/gentoo/profiles/updates/3Q-2020..................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/3Q-2021..............
/var/db/repos/gentoo/profiles/updates/4Q-2017......
/var/db/repos/gentoo/profiles/updates/4Q-2018......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......
/var/db/repos/gentoo/profiles/updates/4Q-2020........
/var/db/repos/gentoo/profiles/updates/4Q-2021..........................................................................



Action: sync for repo: gentoo, returned code = 0
Comment 5 David Sardari 2022-04-13 18:34:54 UTC 
k, this works as desired:

User patches have not been applied to portage.

Make sure you have not hardened Git version installed:

➤ git --version
git version 2.35.1

Delete all relevant configuration, empty Git repo and change ownership:

➤ rm -rfv /etc/gitconfig /etc/portage/gitconfig /etc/portage/repos.conf
removed '/etc/gitconfig'
removed '/etc/portage/gitconfig'
removed '/etc/portage/repos.conf/gentoo.conf'
removed directory '/etc/portage/repos.conf'
➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +
➤ chown portage:portage /var/db/repos/gentoo

Use some old fork of https://github.com/gentoo-mirror/gentoo and enable GnuPG verification:

➤ mkdir -p /etc/portage/repos.conf && \
rsync -a /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf && \
sed -i \
    -e 's/^\(sync-type[[:space:]]*=[[:space:]]*\).*/\1git/' \
    -e 's#^\(sync-uri[[:space:]]*=[[:space:]]*\).*#\1https://github.com/duxsco/gentoo.git#' \
    -e '$ a sync-git-verify-commit-signature = yes' \
    /etc/portage/repos.conf/gentoo.conf
➤ diff /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
6,7c6,7
< sync-type = rsync
< sync-uri = rsync://rsync.gentoo.org/gentoo-portage
---
> sync-type = git
> sync-uri = https://github.com/duxsco/gentoo.git
19a20
> sync-git-verify-commit-signature = yes

Sync:

➤ emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://github.com/aliceUnhinged613/gentoo.git .
Cloning into '.'...
remote: Enumerating objects: 141225, done.
remote: Counting objects: 100% (141225/141225), done.
remote: Compressing objects: 100% (126747/126747), done.
remote: Total 141225 (delta 27929), reused 64904 (delta 13425), pack-reused 0
Receiving objects: 100% (141225/141225), 70.92 MiB | 5.86 MiB/s, done.
Resolving deltas: 100% (27929/27929), done.
Updating files: 100% (124582/124582), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                                                                                         [ ok ]
 * Trusted signature found on top commit
=== Sync completed for gentoo

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2016............................................
/var/db/repos/gentoo/profiles/updates/1Q-2017................................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019.................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/2Q-2016..........................................................
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020............
/var/db/repos/gentoo/profiles/updates/3Q-2015.....................
/var/db/repos/gentoo/profiles/updates/3Q-2016........................
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018...
/var/db/repos/gentoo/profiles/updates/3Q-2019........
/var/db/repos/gentoo/profiles/updates/3Q-2020.....................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/4Q-2015............................
/var/db/repos/gentoo/profiles/updates/4Q-2016..............................
/var/db/repos/gentoo/profiles/updates/4Q-2017.......
/var/db/repos/gentoo/profiles/updates/4Q-2018.......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......



Action: sync for repo: gentoo, returned code = 0

Update dev-vcs/git:
➤ env ACCEPT_KEYWORDS=~amd64 emerge -1 =dev-vcs/git-2.35.2
➤ git --version
git version 2.35.2

Change remote origin URL:
➤ cd /var/db/repos/gentoo/
➤ chown -R root:root .
➤ git remote set-url origin https://github.com/gentoo-mirror/gentoo.git
➤ chown -R portage:portage .
➤ emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /var/db/repos/gentoo
!!! git rev-parse error in /var/db/repos/gentoo

Action: sync for repo: gentoo, returned code = 128
Comment 6 David Sardari 2022-04-13 18:59:46 UTC 
So, you can say that an "emerge --sync" fails if you already have a repo in /var/db/repos/gentoo owned by portage.

If /var/db/repos/gentoo is empty, however, the repo is fetched over Git and stays in /var/db/repos/gentoo even if the GnuPG verification never occurs. In the following, resume from where we ended in my previous comment and do:

Delete repo:
➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +

Change remote origin URL:
➤ sed -i 's#https://github.com/duxsco/gentoo.git#https://github.com/gentoo-mirror/gentoo.git#' /etc/portage/repos.conf/gentoo.conf
➤ diff /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
6,7c6,7
< sync-type = rsync
< sync-uri = rsync://rsync.gentoo.org/gentoo-portage
---
> sync-type = git
> sync-uri = https://github.com/gentoo-mirror/gentoo.git
19a20
> sync-git-verify-commit-signature = yes

Sync:
➤ emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://github.com/gentoo-mirror/gentoo.git .
Cloning into '.'...
remote: Enumerating objects: 138255, done.
remote: Counting objects: 100% (138255/138255), done.
remote: Compressing objects: 100% (119086/119086), done.
remote: Total 138255 (delta 30311), reused 66151 (delta 18153), pack-reused 0
Receiving objects: 100% (138255/138255), 73.46 MiB | 6.54 MiB/s, done.
Resolving deltas: 100% (30311/30311), done.
Updating files: 100% (122038/122038), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                                                                                         [ ok ]
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /var/db/repos/gentoo

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2017............................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/1Q-2021.......
/var/db/repos/gentoo/profiles/updates/1Q-2022..
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020...........
/var/db/repos/gentoo/profiles/updates/2Q-2021........
/var/db/repos/gentoo/profiles/updates/2Q-2022.
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018..
/var/db/repos/gentoo/profiles/updates/3Q-2019......
/var/db/repos/gentoo/profiles/updates/3Q-2020..................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/3Q-2021..............
/var/db/repos/gentoo/profiles/updates/4Q-2017......
/var/db/repos/gentoo/profiles/updates/4Q-2018......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......
/var/db/repos/gentoo/profiles/updates/4Q-2020........
/var/db/repos/gentoo/profiles/updates/4Q-2021..........................................................................



Action: sync for repo: gentoo, returned code = 1

You have a fully valid repo, although no GnuPG verification occured:
➤ chown -R root:root /var/db/repos/gentoo
➤ git rev-parse stable
1d05ebb9fa5b21638a22f5ea8ded0e797c830525
➤ git rev-parse HEAD
1d05ebb9fa5b21638a22f5ea8ded0e797c830525
Comment 7 David Sardari 2022-04-13 20:39:49 UTC 
I am in favor of this procedure:

If "sync-git-verify-commit-signature=yes" is set and "/var/db/repos/gentoo" is empty, the Git repository should be cloned to a quarantine directory similar to the (default) rsync approach. Only after the verification of HEAD's GnuPG signature succeeds, should the repo be moved from quarantine directory to the empty "/var/db/repos/gentoo".

There is no need for a quartantine directory thereafter, if the subsequent "git fetch" is done, and the GnuPG signature of origin HEAD is checked _before_ a rebase occurs.
Comment 8 Mike Gilbert gentoo-dev 2022-04-13 22:18:31 UTC 
It looks like portage runs "git rev-parse" as root, regardless of the usersync setting.

> % sudo emerge --sync
> >>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
> fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
> To add an exception for this directory, call:
> 
>         git config --global --add safe.directory /var/db/repos/gentoo
> !!! git rev-parse error in /var/db/repos/gentoo
> 
> Action: sync for repo: gentoo, returned code = 128

The relevant code is in the portage.sync.modules.git.GitSync class.

We currently use subprocess.subprocess.check_output() to call "git rev-parse".

We should probably change this to use portage.process.spawn() instead. The sync uid is configured in self.span_kwargs.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 22:26:28 UTC 
(In reply to Mike Gilbert from comment #8)
> It looks like portage runs "git rev-parse" as root, regardless of the
> usersync setting.
> 
> > % sudo emerge --sync
> > >>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
> > fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
> > To add an exception for this directory, call:
> > 
> >         git config --global --add safe.directory /var/db/repos/gentoo
> > !!! git rev-parse error in /var/db/repos/gentoo
> > 
> > Action: sync for repo: gentoo, returned code = 128
> 
> The relevant code is in the portage.sync.modules.git.GitSync class.
> 
> We currently use subprocess.subprocess.check_output() to call "git
> rev-parse".
> 
> We should probably change this to use portage.process.spawn() instead. The
> sync uid is configured in self.span_kwargs.

I'm not sure this is the whole problem.

During a sync, I ran:

`while true; do ps aux | grep git; sleep .1; done | tee sync`

Eventually I saw:

root     2794406  0.0  0.1  35240 27892 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  14192  8340 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794410  0.0  0.0   6604  2252 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  0.0  0.1  35240 27892 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794414  0.0  0.0   6604  2256 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  0.0  0.1  35880 28240 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794422  0.0  0.0   6604  2252 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  2.0  0.1  44076 28240 pts/9    SNl+ 17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794477  0.0  0.0   6604  2192 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  2.0  0.1  44076 28240 pts/9    SNl+ 17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794532  0.0  0.0   6604  2256 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  2.0  0.1 109612 28308 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0      0     0 pts/9    ZN+  17:23   0:00 [git] <defunct>
root     2794564  0.0  0.4 1434100 67168 pts/9   RN+  17:23   0:00 /usr/libexec/git-core/git --shallow-file /var/db/repos/gentoo/.git/shallow.lock rev-list --objects --stdin --quiet --alternate-refs

FEATURES=usersync is set.

When comparing to the rsync and git modules, I see that rsync is called via portage.process.spawn and git via portage.process.spawn_bash, but not sure if relevant.
Comment 10 David Sardari 2022-04-13 22:37:44 UTC 
@ajak I was also surprised that "root" user is used. The behaviour you pointed out changes after "portage" owning /var/db/repos/gentoo. Then, "git clone/fetch" runs as "portage" user.

For now, I decided to change ownership of /var/db/repos/gentoo to portage:portage and execute "git config --system --add safe.directory /var/db/repos/gentoo". That way, "git clone/fetch" is executed by "portage" which is more critical to me and (non-network bound) "git rev-parse" which apparently runs under root doesn't complain on "portage" ownership.
Comment 11 Larry the Git Cow gentoo-dev 2022-04-13 22:57:05 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afedd76307ba7fde47628d1dc84589a1d2ae9efc

commit afedd76307ba7fde47628d1dc84589a1d2ae9efc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-13 22:56:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-13 22:56:35 +0000

    profiles: mask =dev-vcs/git-2.35.2
    
    2.35.2 was a quick release to mitigate a security issue (bug #838127), but
    introduces problems of its own with e.g. Portage. bug #838223. Pending
    investigation both on the Portage side and potentially upstream (as there's
    at least some UX issues with 2.35.2+ with the new "safe directory" mechanism).
    
    Earlier versions are still safe as long as you do not use git commands
    on a local repository controlled by a user you do not trust.
    
    Closes: https://bugs.gentoo.org/838127
    Closes: https://bugs.gentoo.org/838223
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 12 Mike Gilbert gentoo-dev 2022-04-13 23:07:19 UTC 
(In reply to John Helmert III from comment #9)

With FEATURES=usersync, portage is supposed to run the sync process as whatever user owns the directory containing the repository.

I suspect /var/db/repos/gentoo is owned by root on your system.
Comment 13 Mike Gilbert gentoo-dev 2022-04-13 23:10:47 UTC 
There are several 'git' calls that are made using subprocess.check_output() instead of portage.process.spawn(). This seems to be done when we need to capture stdout from the called git process; portage.process.spawn() offers no simple way to capture that.

Reading from pipes without the help of the subprocess module can be tricky. Redirecting git's output to a temp file (tempfile.TemporaryFile) would probably be simpler. We can then read the contents back once the git process terminates.
Comment 14 Mike Gilbert gentoo-dev 2022-04-14 02:07:17 UTC 
Regarding sam's last update to the summary: 

> sys-apps/portage with FEATURES="usersync" runs git as root if /var/db/repos/gentoo is root owned

git is *supposed* to run as root when /var/db/repos/gentoo is root-owned.

The problem occurs when /var/db/repos/gentoo is NOT root-owned. There, portage is NOT supposed to run git as root, but it does it anyway as I have explained in previous comments.
Comment 15 Larry the Git Cow gentoo-dev 2022-04-14 07:20:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b2f637c5248f274789c4a02d06b2f41e378e96

commit d5b2f637c5248f274789c4a02d06b2f41e378e96
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-14 07:19:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-14 07:20:15 +0000

    profiles: mask =dev-vcs/git-2.35.3 too, for same reasons as 2.35.2
    
    Nothing's changed there wrt the Portage-related issues yet.
    
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Bug: https://bugs.gentoo.org/838127
    See: afedd76307ba7fde47628d1dc84589a1d2ae9efc
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 1 +
 1 file changed, 1 insertion(+)
Comment 16 David Sardari 2022-04-14 09:58:05 UTC 
(In reply to Mike Gilbert from comment #14)
> git is *supposed* to run as root when /var/db/repos/gentoo is root-owned.

I wasn't aware of this. FYI for the others, the info can be found in the "usersync" description in "man make.conf".

In my installation guide, I decided to make a change from:

➤ tar --strip-components=1 -C /mnt/gentoo/var/db/repos/gentoo/ -xvpJf /mnt/gentoo/portage-latest.tar.xz

...to:

➤ tar --transform 's/^portage/gentoo/' -C /mnt/gentoo/var/db/repos/ -xvpJf /mnt/gentoo/portage-latest.tar.xz

FYI, /mnt/gentoo/var/db/repos/gentoo/ preexists before tar, because it is a mountpoint for my @ebuild btrfs subvolume.

Perhaps, the stage3 tarball should come with a portage:portage owned, empty "/var/db/repos/gentoo".
Comment 17 David Sardari 2022-04-14 11:23:48 UTC 
IMHO, "usersync" is a bit misleading. Perhaps, a "non-root-sync" setting should be added.
Comment 18 Larry the Git Cow gentoo-dev 2022-07-03 00:56:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=28d8d469ed8db68225fd50755655dcda61bd9a78

commit 28d8d469ed8db68225fd50755655dcda61bd9a78
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-07-01 18:53:30 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-07-01 19:01:18 +0000

    git: mark repository as safe for newer gits
    
    While this doesn't solve the odd permissions issue for communication
    b/t gemato & git & portage, it does stop it manifesting.
    
    This fixes compatibility with >=dev-vcs/git-2.35.2.
    
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 lib/portage/sync/modules/git/git.py | 43 ++++++++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 5 deletions(-)
Comment 19 Larry the Git Cow gentoo-dev 2022-08-12 15:46:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c1a625acdacfb579786284836a8678013992310

commit 7c1a625acdacfb579786284836a8678013992310
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-12 15:42:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-12 15:44:11 +0000

    profiles: unmask >=dev-vcs/git-2.35.2
    
    We now have a USE=+safe-directory to allow disabling
    the sometimes problematic behaviour. But we've also
    fixed Portage and pkgcheck/pkgdev anyway.
    
    Bug: https://github.com/pkgcore/pkgcheck/issues/412
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 9 ---------
 1 file changed, 9 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33c5ec8d6f509841240464f248514320800f1229

commit 33c5ec8d6f509841240464f248514320800f1229
Author:     Thomas Bracht Laumann Jespersen <t@laumann.xyz>
AuthorDate: 2022-08-06 20:08:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-12 15:44:07 +0000

    dev-vcs/git: allow disabling "safe.directory"
    
    Add IUSE="+safe-directory" that when not enabled, makes the
    safe.directory configuration setting not take effect. The patch is meant
    to be the smallest change (in terms of lines of code) that would let the
    feature work for tests still.
    
    Bug: https://github.com/pkgcore/pkgcheck/issues/412
    Bug: https://bugs.gentoo.org/857831
    Bug: https://bugs.gentoo.org/838127
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Signed-off-by: Thomas Bracht Laumann Jespersen <t@laumann.xyz>
    Closes: https://github.com/gentoo/gentoo/pull/26762
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-vcs/git/files/git-2.37.2-unsafe-directory.patch | 14 ++++++++++++++
 dev-vcs/git/git-2.37.2.ebuild                       |  9 ++++++++-
 dev-vcs/git/metadata.xml                            |  1 +
 3 files changed, 23 insertions(+), 1 deletion(-)