Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838223 - sys-apps/portage with FEATURES="usersync" and >=dev-vcs/git-2.35.2 - git sync fails when repo is owned by non-root user - fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
Summary: sys-apps/portage with FEATURES="usersync" and >=dev-vcs/git-2.35.2 - git sync...
Status: CONFIRMED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Portage team
URL:
Whiteboard: git 2.35.2 masked for now which means...
Keywords: PullRequest
Depends on:
Blocks: CVE-2022-24765
  Show dependency tree
 
Reported: 2022-04-13 15:50 UTC by Denis Lisov
Modified: 2022-04-15 07:39 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Lisov 2022-04-13 15:50:31 UTC 
Starting with dev-vcs/git-2.35.2, git refuses to run in a location where `.git` or one of the directories between the current directory and `.git` belong to a different user. This means that if `/var/db/repos/gentoo` is owned by `portage` (which, IIUC, is normal with FEATURES="usersync"), trying to run a git command there as root will fail.

Reproducible: Always

Steps to Reproduce:
1. Use the Gentoo main repository from `https://github.com/gentoo-mirror/gentoo/` with FEATURES="usersync". The repository will be `portage`-owned so that `portage` can update it.
2. Run `emerge --info` or `emerge --sync`
3. Observe the error message
Actual Results:  
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:
        git config --global --add safe.directory /var/db/repos/gentoo

Expected Results:  
All `git` calls should happen as the user owning the repository location just like syncing with `usersync` already does.
Comment 1 David Sardari 2022-04-13 16:41:29 UTC 
The change in dev-vcs/git-2.35.2 was introduced due to CVE:
https://bugs.gentoo.org/838127
Comment 2 David Sardari 2022-04-13 17:04:08 UTC 
This issue disables verification of repository HEAD's GnuPG signature:

➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +
➤ emerge --sync > /tmp/a.txt
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /var/db/repos/gentoo
➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +
➤ git config --system --add safe.directory /var/db/repos/gentoo
➤ emerge --sync > /tmp/b.txt
➤ diff --suppress-common-lines /tmp/a.txt /tmp/b.txt
4c4
Updating files: 100% (122032/122032), done.
---
Updating files: 100% (122032/122032), done.
6a7,8
>  * Trusted signature found on top commit
> === Sync completed for gentoo
38c40
< Action: sync for repo: gentoo, returned code = 1
---
> Action: sync for repo: gentoo, returned code = 0
Comment 3 David Sardari 2022-04-13 17:17:43 UTC 
Full a.txt content ("emerge --sync" with defaults):

>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://anongit.gentoo.org/git/repo/sync/gentoo.git .
Cloning into '.'...
Updating files: 100% (122032/122032), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                           [ ok ]

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2017............................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/1Q-2021.......
/var/db/repos/gentoo/profiles/updates/1Q-2022..
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020...........
/var/db/repos/gentoo/profiles/updates/2Q-2021........
/var/db/repos/gentoo/profiles/updates/2Q-2022.
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018..
/var/db/repos/gentoo/profiles/updates/3Q-2019......
/var/db/repos/gentoo/profiles/updates/3Q-2020..................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/3Q-2021..............
/var/db/repos/gentoo/profiles/updates/4Q-2017......
/var/db/repos/gentoo/profiles/updates/4Q-2018......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......
/var/db/repos/gentoo/profiles/updates/4Q-2020........
/var/db/repos/gentoo/profiles/updates/4Q-2021..........................................................................



Action: sync for repo: gentoo, returned code = 1
Comment 4 David Sardari 2022-04-13 17:18:30 UTC 
Full b.txt ("emerge --sync" with safe.directory setting):

>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://anongit.gentoo.org/git/repo/sync/gentoo.git .
Cloning into '.'...
Updating files: 100% (122032/122032), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                           [ ok ]
 * Trusted signature found on top commit
=== Sync completed for gentoo

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2017............................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/1Q-2021.......
/var/db/repos/gentoo/profiles/updates/1Q-2022..
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020...........
/var/db/repos/gentoo/profiles/updates/2Q-2021........
/var/db/repos/gentoo/profiles/updates/2Q-2022.
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018..
/var/db/repos/gentoo/profiles/updates/3Q-2019......
/var/db/repos/gentoo/profiles/updates/3Q-2020..................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/3Q-2021..............
/var/db/repos/gentoo/profiles/updates/4Q-2017......
/var/db/repos/gentoo/profiles/updates/4Q-2018......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......
/var/db/repos/gentoo/profiles/updates/4Q-2020........
/var/db/repos/gentoo/profiles/updates/4Q-2021..........................................................................



Action: sync for repo: gentoo, returned code = 0
Comment 5 David Sardari 2022-04-13 18:34:54 UTC 
k, this works as desired:

User patches have not been applied to portage.

Make sure you have not hardened Git version installed:

➤ git --version
git version 2.35.1

Delete all relevant configuration, empty Git repo and change ownership:

➤ rm -rfv /etc/gitconfig /etc/portage/gitconfig /etc/portage/repos.conf
removed '/etc/gitconfig'
removed '/etc/portage/gitconfig'
removed '/etc/portage/repos.conf/gentoo.conf'
removed directory '/etc/portage/repos.conf'
➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +
➤ chown portage:portage /var/db/repos/gentoo

Use some old fork of https://github.com/gentoo-mirror/gentoo and enable GnuPG verification:

➤ mkdir -p /etc/portage/repos.conf && \
rsync -a /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf && \
sed -i \
    -e 's/^\(sync-type[[:space:]]*=[[:space:]]*\).*/\1git/' \
    -e 's#^\(sync-uri[[:space:]]*=[[:space:]]*\).*#\1https://github.com/duxsco/gentoo.git#' \
    -e '$ a sync-git-verify-commit-signature = yes' \
    /etc/portage/repos.conf/gentoo.conf
➤ diff /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
6,7c6,7
< sync-type = rsync
< sync-uri = rsync://rsync.gentoo.org/gentoo-portage
---
> sync-type = git
> sync-uri = https://github.com/duxsco/gentoo.git
19a20
> sync-git-verify-commit-signature = yes

Sync:

➤ emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://github.com/aliceUnhinged613/gentoo.git .
Cloning into '.'...
remote: Enumerating objects: 141225, done.
remote: Counting objects: 100% (141225/141225), done.
remote: Compressing objects: 100% (126747/126747), done.
remote: Total 141225 (delta 27929), reused 64904 (delta 13425), pack-reused 0
Receiving objects: 100% (141225/141225), 70.92 MiB | 5.86 MiB/s, done.
Resolving deltas: 100% (27929/27929), done.
Updating files: 100% (124582/124582), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                                                                                         [ ok ]
 * Trusted signature found on top commit
=== Sync completed for gentoo

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2016............................................
/var/db/repos/gentoo/profiles/updates/1Q-2017................................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019.................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/2Q-2016..........................................................
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020............
/var/db/repos/gentoo/profiles/updates/3Q-2015.....................
/var/db/repos/gentoo/profiles/updates/3Q-2016........................
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018...
/var/db/repos/gentoo/profiles/updates/3Q-2019........
/var/db/repos/gentoo/profiles/updates/3Q-2020.....................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/4Q-2015............................
/var/db/repos/gentoo/profiles/updates/4Q-2016..............................
/var/db/repos/gentoo/profiles/updates/4Q-2017.......
/var/db/repos/gentoo/profiles/updates/4Q-2018.......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......



Action: sync for repo: gentoo, returned code = 0

Update dev-vcs/git:
➤ env ACCEPT_KEYWORDS=~amd64 emerge -1 =dev-vcs/git-2.35.2
➤ git --version
git version 2.35.2

Change remote origin URL:
➤ cd /var/db/repos/gentoo/
➤ chown -R root:root .
➤ git remote set-url origin https://github.com/gentoo-mirror/gentoo.git
➤ chown -R portage:portage .
➤ emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /var/db/repos/gentoo
!!! git rev-parse error in /var/db/repos/gentoo

Action: sync for repo: gentoo, returned code = 128
Comment 6 David Sardari 2022-04-13 18:59:46 UTC 
So, you can say that an "emerge --sync" fails if you already have a repo in /var/db/repos/gentoo owned by portage.

If /var/db/repos/gentoo is empty, however, the repo is fetched over Git and stays in /var/db/repos/gentoo even if the GnuPG verification never occurs. In the following, resume from where we ended in my previous comment and do:

Delete repo:
➤ find /var/db/repos/gentoo -maxdepth 1 -mindepth 1 -exec rm -rf {} +

Change remote origin URL:
➤ sed -i 's#https://github.com/duxsco/gentoo.git#https://github.com/gentoo-mirror/gentoo.git#' /etc/portage/repos.conf/gentoo.conf
➤ diff /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
6,7c6,7
< sync-type = rsync
< sync-uri = rsync://rsync.gentoo.org/gentoo-portage
---
> sync-type = git
> sync-uri = https://github.com/gentoo-mirror/gentoo.git
19a20
> sync-git-verify-commit-signature = yes

Sync:
➤ emerge --sync
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://github.com/gentoo-mirror/gentoo.git .
Cloning into '.'...
remote: Enumerating objects: 138255, done.
remote: Counting objects: 100% (138255/138255), done.
remote: Compressing objects: 100% (119086/119086), done.
remote: Total 138255 (delta 30311), reused 66151 (delta 18153), pack-reused 0
Receiving objects: 100% (138255/138255), 73.46 MiB | 6.54 MiB/s, done.
Resolving deltas: 100% (30311/30311), done.
Updating files: 100% (122038/122038), done.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys via WKD ...                                                                                                         [ ok ]
fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
To add an exception for this directory, call:

	git config --global --add safe.directory /var/db/repos/gentoo

Performing Global Updates
(Could take a couple of minutes if you have a lot of binary packages.)
  .='update pass'  *='binary update'  #='/var/db update'  @='/var/db move'
  s='/var/db SLOT move'  %='binary move'  S='binary SLOT move'
  p='update /etc/portage/package.*'
/var/db/repos/gentoo/profiles/updates/1Q-2017............................
/var/db/repos/gentoo/profiles/updates/1Q-2018.....................
/var/db/repos/gentoo/profiles/updates/1Q-2019................
/var/db/repos/gentoo/profiles/updates/1Q-2020............
/var/db/repos/gentoo/profiles/updates/1Q-2021.......
/var/db/repos/gentoo/profiles/updates/1Q-2022..
/var/db/repos/gentoo/profiles/updates/2Q-2017....
/var/db/repos/gentoo/profiles/updates/2Q-2018..................
/var/db/repos/gentoo/profiles/updates/2Q-2019...
/var/db/repos/gentoo/profiles/updates/2Q-2020...........
/var/db/repos/gentoo/profiles/updates/2Q-2021........
/var/db/repos/gentoo/profiles/updates/2Q-2022.
/var/db/repos/gentoo/profiles/updates/3Q-2017........................
/var/db/repos/gentoo/profiles/updates/3Q-2018..
/var/db/repos/gentoo/profiles/updates/3Q-2019......
/var/db/repos/gentoo/profiles/updates/3Q-2020..................................................................................................................................................
/var/db/repos/gentoo/profiles/updates/3Q-2021..............
/var/db/repos/gentoo/profiles/updates/4Q-2017......
/var/db/repos/gentoo/profiles/updates/4Q-2018......
/var/db/repos/gentoo/profiles/updates/4Q-2019.......
/var/db/repos/gentoo/profiles/updates/4Q-2020........
/var/db/repos/gentoo/profiles/updates/4Q-2021..........................................................................



Action: sync for repo: gentoo, returned code = 1

You have a fully valid repo, although no GnuPG verification occured:
➤ chown -R root:root /var/db/repos/gentoo
➤ git rev-parse stable
1d05ebb9fa5b21638a22f5ea8ded0e797c830525
➤ git rev-parse HEAD
1d05ebb9fa5b21638a22f5ea8ded0e797c830525
Comment 7 David Sardari 2022-04-13 20:39:49 UTC 
I am in favor of this procedure:

If "sync-git-verify-commit-signature=yes" is set and "/var/db/repos/gentoo" is empty, the Git repository should be cloned to a quarantine directory similar to the (default) rsync approach. Only after the verification of HEAD's GnuPG signature succeeds, should the repo be moved from quarantine directory to the empty "/var/db/repos/gentoo".

There is no need for a quartantine directory thereafter, if the subsequent "git fetch" is done, and the GnuPG signature of origin HEAD is checked _before_ a rebase occurs.
Comment 8 Mike Gilbert gentoo-dev 2022-04-13 22:18:31 UTC 
It looks like portage runs "git rev-parse" as root, regardless of the usersync setting.

> % sudo emerge --sync
> >>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
> fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
> To add an exception for this directory, call:
> 
>         git config --global --add safe.directory /var/db/repos/gentoo
> !!! git rev-parse error in /var/db/repos/gentoo
> 
> Action: sync for repo: gentoo, returned code = 128

The relevant code is in the portage.sync.modules.git.GitSync class.

We currently use subprocess.subprocess.check_output() to call "git rev-parse".

We should probably change this to use portage.process.spawn() instead. The sync uid is configured in self.span_kwargs.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 22:26:28 UTC 
(In reply to Mike Gilbert from comment #8)
> It looks like portage runs "git rev-parse" as root, regardless of the
> usersync setting.
> 
> > % sudo emerge --sync
> > >>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
> > fatal: unsafe repository ('/var/db/repos/gentoo' is owned by someone else)
> > To add an exception for this directory, call:
> > 
> >         git config --global --add safe.directory /var/db/repos/gentoo
> > !!! git rev-parse error in /var/db/repos/gentoo
> > 
> > Action: sync for repo: gentoo, returned code = 128
> 
> The relevant code is in the portage.sync.modules.git.GitSync class.
> 
> We currently use subprocess.subprocess.check_output() to call "git
> rev-parse".
> 
> We should probably change this to use portage.process.spawn() instead. The
> sync uid is configured in self.span_kwargs.

I'm not sure this is the whole problem.

During a sync, I ran:

`while true; do ps aux | grep git; sleep .1; done | tee sync`

Eventually I saw:

root     2794406  0.0  0.1  35240 27892 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  14192  8340 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794410  0.0  0.0   6604  2252 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  0.0  0.1  35240 27892 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794414  0.0  0.0   6604  2256 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  0.0  0.1  35880 28240 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794422  0.0  0.0   6604  2252 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  2.0  0.1  44076 28240 pts/9    SNl+ 17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794477  0.0  0.0   6604  2192 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  2.0  0.1  44076 28240 pts/9    SNl+ 17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0  10148  4128 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git remote-https origin https://github.com/gentoo-mirror/gentoo
root     2794408  0.0  0.0  15336  8920 pts/9    SN+  17:23   0:00 /usr/libexec/git-core/git-remote-https origin https://github.com/gentoo-mirror/gentoo
jake     2794532  0.0  0.0   6604  2256 pts/12   S<+  17:23   0:00 grep --colour=auto git
root     2794406  2.0  0.1 109612 28308 pts/9    SN+  17:23   0:00 /usr/bin/git fetch origin --depth 1
root     2794407  0.0  0.0      0     0 pts/9    ZN+  17:23   0:00 [git] <defunct>
root     2794564  0.0  0.4 1434100 67168 pts/9   RN+  17:23   0:00 /usr/libexec/git-core/git --shallow-file /var/db/repos/gentoo/.git/shallow.lock rev-list --objects --stdin --quiet --alternate-refs

FEATURES=usersync is set.

When comparing to the rsync and git modules, I see that rsync is called via portage.process.spawn and git via portage.process.spawn_bash, but not sure if relevant.
Comment 10 David Sardari 2022-04-13 22:37:44 UTC 
@ajak I was also surprised that "root" user is used. The behaviour you pointed out changes after "portage" owning /var/db/repos/gentoo. Then, "git clone/fetch" runs as "portage" user.

For now, I decided to change ownership of /var/db/repos/gentoo to portage:portage and execute "git config --system --add safe.directory /var/db/repos/gentoo". That way, "git clone/fetch" is executed by "portage" which is more critical to me and (non-network bound) "git rev-parse" which apparently runs under root doesn't complain on "portage" ownership.
Comment 11 Larry the Git Cow gentoo-dev 2022-04-13 22:57:05 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afedd76307ba7fde47628d1dc84589a1d2ae9efc

commit afedd76307ba7fde47628d1dc84589a1d2ae9efc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-13 22:56:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-13 22:56:35 +0000

    profiles: mask =dev-vcs/git-2.35.2
    
    2.35.2 was a quick release to mitigate a security issue (bug #838127), but
    introduces problems of its own with e.g. Portage. bug #838223. Pending
    investigation both on the Portage side and potentially upstream (as there's
    at least some UX issues with 2.35.2+ with the new "safe directory" mechanism).
    
    Earlier versions are still safe as long as you do not use git commands
    on a local repository controlled by a user you do not trust.
    
    Closes: https://bugs.gentoo.org/838127
    Closes: https://bugs.gentoo.org/838223
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 12 Mike Gilbert gentoo-dev 2022-04-13 23:07:19 UTC 
(In reply to John Helmert III from comment #9)

With FEATURES=usersync, portage is supposed to run the sync process as whatever user owns the directory containing the repository.

I suspect /var/db/repos/gentoo is owned by root on your system.
Comment 13 Mike Gilbert gentoo-dev 2022-04-13 23:10:47 UTC 
There are several 'git' calls that are made using subprocess.check_output() instead of portage.process.spawn(). This seems to be done when we need to capture stdout from the called git process; portage.process.spawn() offers no simple way to capture that.

Reading from pipes without the help of the subprocess module can be tricky. Redirecting git's output to a temp file (tempfile.TemporaryFile) would probably be simpler. We can then read the contents back once the git process terminates.
Comment 14 Mike Gilbert gentoo-dev 2022-04-14 02:07:17 UTC 
Regarding sam's last update to the summary: 

> sys-apps/portage with FEATURES="usersync" runs git as root if /var/db/repos/gentoo is root owned

git is *supposed* to run as root when /var/db/repos/gentoo is root-owned.

The problem occurs when /var/db/repos/gentoo is NOT root-owned. There, portage is NOT supposed to run git as root, but it does it anyway as I have explained in previous comments.
Comment 15 Larry the Git Cow gentoo-dev 2022-04-14 07:20:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5b2f637c5248f274789c4a02d06b2f41e378e96

commit d5b2f637c5248f274789c4a02d06b2f41e378e96
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-14 07:19:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-14 07:20:15 +0000

    profiles: mask =dev-vcs/git-2.35.3 too, for same reasons as 2.35.2
    
    Nothing's changed there wrt the Portage-related issues yet.
    
    Bug: https://bugs.gentoo.org/838223
    Bug: https://bugs.gentoo.org/838271
    Bug: https://bugs.gentoo.org/838127
    See: afedd76307ba7fde47628d1dc84589a1d2ae9efc
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 1 +
 1 file changed, 1 insertion(+)
Comment 16 David Sardari 2022-04-14 09:58:05 UTC 
(In reply to Mike Gilbert from comment #14)
> git is *supposed* to run as root when /var/db/repos/gentoo is root-owned.

I wasn't aware of this. FYI for the others, the info can be found in the "usersync" description in "man make.conf".

In my installation guide, I decided to make a change from:

➤ tar --strip-components=1 -C /mnt/gentoo/var/db/repos/gentoo/ -xvpJf /mnt/gentoo/portage-latest.tar.xz

...to:

➤ tar --transform 's/^portage/gentoo/' -C /mnt/gentoo/var/db/repos/ -xvpJf /mnt/gentoo/portage-latest.tar.xz

FYI, /mnt/gentoo/var/db/repos/gentoo/ preexists before tar, because it is a mountpoint for my @ebuild btrfs subvolume.

Perhaps, the stage3 tarball should come with a portage:portage owned, empty "/var/db/repos/gentoo".
Comment 17 David Sardari 2022-04-14 11:23:48 UTC 
IMHO, "usersync" is a bit misleading. Perhaps, a "non-root-sync" setting should be added.