From f32d2aecceafe1730cc5d6ad684e0d4230e690ff Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 3 Mar 2025 15:47:09 -0400 Subject: [PATCH] autoenable security for compute special remote Added annex.security.autoenable-compute-programs and only allow autoenabling special remotes that use compute programs on that list. The reason this is needed is a user might have some compute programs that are less safe to use than others. They might want to use an unsafe one only with one repository, where they are the only committer or other committers are trusted. They might be ok with others being used by any repository, and if so they can add them to the list. Another reason would be a user who has installed a compute program by accident. Eg, it might be included with git-annex at some point, or pulled in by some dependency. That user doesn't necessarily want that compute program to be used in an autoenabled special remote. --- Remote/Compute.hs | 18 +++++++++++++++++- TODO-compute | 2 -- Types/GitConfig.hs | 3 +++ .../compute_special_remote_interface.mdwn | 7 +++---- doc/git-annex.mdwn | 7 +++++++ doc/special_remotes/compute.mdwn | 6 ++++++ 6 files changed, 36 insertions(+), 7 deletions(-) diff --git a/Remote/Compute.hs b/Remote/Compute.hs index 564ecbda70..d43e745e95 100644 --- a/Remote/Compute.hs +++ b/Remote/Compute.hs @@ -23,6 +23,7 @@ module Remote.Compute ( ) where import Annex.Common +import qualified Annex import Types.Remote import Types.ProposedAccepted import Types.MetaData @@ -118,8 +119,23 @@ gen r u rc gc rs = case getComputeProgram' rc of } setupInstance :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID) -setupInstance _ mu _ c _ = do +setupInstance ss mu _ c _ = do ComputeProgram program <- either giveup return $ getComputeProgram' c + case ss of + AutoEnable _ -> do + l <- maybe [] words + . annexAutoEnableComputePrograms + <$> Annex.getGitConfig + unless (program `elem` l) $ do + let remotename = fromMaybe "(unknown)" (lookupName c) + giveup $ unwords + [ "Not auto-enabling compute special remote" + , remotename + , "because its compute program" + , program + , " is not listed in annex.security.autoenable-compute-programs" + ] + _ -> noop unlessM (liftIO $ inSearchPath program) $ giveup $ "Cannot find " ++ program ++ " in PATH" u <- maybe (liftIO genUUID) return mu diff --git a/TODO-compute b/TODO-compute index b3f67016a7..547730914e 100644 --- a/TODO-compute +++ b/TODO-compute @@ -3,8 +3,6 @@ * get input files for a computation (so `git-annex get .` gets every file, even when input files in a directory are processed after computed files) -* autoinit security - * addcomputed should honor annex.addunlocked. * Perhaps recompute should write a new version of a file as an unlocked diff --git a/Types/GitConfig.hs b/Types/GitConfig.hs index 255778387f..6ea4503d1a 100644 --- a/Types/GitConfig.hs +++ b/Types/GitConfig.hs @@ -146,6 +146,7 @@ data GitConfig = GitConfig , annexAllowedUrlSchemes :: S.Set Scheme , annexAllowedIPAddresses :: String , annexAllowUnverifiedDownloads :: Bool + , annexAutoEnableComputePrograms :: Maybe String , annexMaxExtensionLength :: Maybe Int , annexMaxExtensions :: Maybe Int , annexJobs :: Concurrency @@ -261,6 +262,8 @@ extractGitConfig configsource r = GitConfig getmaybe (annexConfig "security.allowed-http-addresses") -- old name , annexAllowUnverifiedDownloads = (== Just "ACKTHPPT") $ getmaybe (annexConfig "security.allow-unverified-downloads") + , annexAutoEnableComputePrograms = + getmaybe (annexConfig "security.autoenable-compute-programs") , annexMaxExtensionLength = getmayberead (annexConfig "maxextensionlength") , annexMaxExtensions = getmayberead (annexConfig "maxextensions") , annexJobs = fromMaybe NonConcurrent $ diff --git a/doc/design/compute_special_remote_interface.mdwn b/doc/design/compute_special_remote_interface.mdwn index cd53a04aa1..8b62a601fa 100644 --- a/doc/design/compute_special_remote_interface.mdwn +++ b/doc/design/compute_special_remote_interface.mdwn @@ -26,13 +26,12 @@ For security, the program should avoid exposing user input to the shell unprotected, or otherwise executing it. The program is run in a temporary directory, which will be cleaned up after -it exits. Note that it may be run in a subdirectory of its temporary +it exits. Note that it may be run in a subdirectory of a temporary directory. This is done when `git-annex addcomputed` was run in a subdirectory of the git repository. -The content of any annexed file in the repository can be an input -to the computation. The program requests an input by writing a line to -stdout: +The content of any file in the repository can be an input to the +computation. The program requests an input by writing a line to stdout: INPUT file.raw diff --git a/doc/git-annex.mdwn b/doc/git-annex.mdwn index daed2be98a..2146104456 100644 --- a/doc/git-annex.mdwn +++ b/doc/git-annex.mdwn @@ -2201,6 +2201,13 @@ Remotes are configured using these settings in `.git/config`. Per-remote configuration of annex.security.allow-unverified-downloads. +* `annex.security.autoenable-compute-programs` + + This is a space separated list of compute programs eg + "git-annex-compute-foo git-annex-compute-bar". Listing a compute + program here allows compute special remotes that use that program to be + autoenabled. + # CONFIGURATION OF ASSISTANT * `annex.delayadd` diff --git a/doc/special_remotes/compute.mdwn b/doc/special_remotes/compute.mdwn index c3f4186008..811640e2f6 100644 --- a/doc/special_remotes/compute.mdwn +++ b/doc/special_remotes/compute.mdwn @@ -15,6 +15,12 @@ program to use to compute the contents of annexed files. It must start with "git-annex-compute-". The program needs to be installed somewhere in the `PATH`. +The `autoenable` parameter can be set to "true" like with other special +remotes to make git-annex automatically enable this special remote when +run in a new clone of the repository. However, for security, autoenabling +is only done when the git config `annex.security.autoenable-compute-programs` +includes the name of the compute program. + All other "field=value" parameters passed to `initremote` will be passed to the program when running [[git-annex-addcomputed]]. Note that when the program takes a dashed option, it can be provided after "--":