search

sobolevn / git-secret

:busts_in_silhouette: A bash-tool to store your private data inside a git repository.
https://sobolevn.me/git-secret/
MIT License
3.69k stars 201 forks source link

Enable silencing of "gpg: WARNING: unsafe permissions on homedir" warning (--no-permission-warning) #999

Open paslandau opened 1 year ago

paslandau commented 1 year ago

What are the steps to reproduce this issue?

  1. initialize git secret
  2. share the .gitsecret/keys folder via bind-mount with docker on Windows via Docker Desktop (Docker Desktop sets permissions to read/write/execute for users, groups and others 0777 - this can not be changed)
  3. run git secret hide
  4. observe error message gpg: WARNING: unsafe permissions on homedir

Run the following script on Windows using Docker Desktop

docker build -t my-git-secret-img -<<'EOF'
FROM alpine:3.17

ADD https://gitsecret.jfrog.io/artifactory/api/security/keypair/public/repositories/git-secret-apk /etc/apk/keys/git-secret-apk.rsa.pub
RUN echo "https://gitsecret.jfrog.io/artifactory/git-secret-apk/latest-stable/main" >> /etc/apk/repositories  && \
    apk add --update --no-cache \
        bash \
        git \
        git-secret=0.5.0 \
        gnupg

RUN echo "Key-Type: 1" > create && \
    echo "Key-Length: 2048" >> create && \
    echo "Subkey-Type: 1" >> create && \
    echo "Subkey-Length: 2048" >> create && \
    echo "Name-Real: Foo Bar" >> create && \
    echo "Name-Email: foo@bar.com" >> create && \
    echo "Expire-Date: 0" >> create && \
    echo "%no-protection" >> create && \
    cat create | gpg --batch --gen-key && \
    gpg --list-keys && \
    gpg --output /root/gpg.key --armor --export-secret-key foo@bar.com

RUN echo "#!/usr/bin/env bash" >> /entrypoint.bash && \
    echo "set -e" >> /entrypoint.bash && \
    echo "gpg --quiet --import --batch --yes --pinentry-mode loopback /root/gpg.key" >> /entrypoint.bash && \
    echo "exec \"\$@\"" >> /entrypoint.bash && \
    chmod +x /entrypoint.bash

ENTRYPOINT ["/entrypoint.bash", "git", "secret"]
EOF

git init
docker run -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img init
touch foo
docker run --rm -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img add foo
docker run --rm -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img tell foo@bar.com
docker run --rm -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img hide

See this gif for the an example

git-secret

What happens?

A GPG permission warning is shown

What were you expecting to happen?

Not see any warnings

Proposal

Add an ENV variable like DISABLE_GPG_PERMISSIONS_WARNING that sets the --no-permission-warning flag on the gpg command.

Any other comments?

This behavior started when we switched from v0.4.0 to v0.5.0 and is also documented in the CHANGELOG via

Allow gnupg permission warnings in tell, hide, reveal, and removeperson (#811)

Unfortunately, there is no way to disable the warnings. In the setup outlined above, it is impossible to change the file permissions, see:

Docker Desktop sets permissions to read/write/execute for users, groups and others 0777 or a+rwx. This is not configurable.

(https://docs.docker.com/desktop/settings/windows/#file-sharing)

The default permissions on shared volumes are not configurable. If you are working with applications that require permissions different from the shared volume defaults at container runtime, you need to either use non-host-mounted volumes or find a way to make the applications work with the default file permissions.

(https://docs.docker.com/desktop/troubleshoot/topics/#permissions-errors-on-data-directories-for-shared-volumes)

Docker Desktop does not enable you to control (chmod) the Unix-style permissions on shared volumes for deployed containers, but rather sets permissions to a default value of 0777 (read, write, execute permissions for user and for group) which is not configurable.

(https://docs.docker.com/desktop/faqs/windowsfaqs/#can-i-change-permissions-on-shared-volumes-for-container-specific-deployment-requirements)

What versions of software are you using?

Operating system: (uname -a) …

MINGW64_NT-10.0-19044 LAPTOP-0DNL2Q02 3.3.6-bec3d608-341.x86_64 2023-02-22 08:29 UTC x86_64 Msys
(Win)

Linux application 5.15.49-linuxkit #1 SMP Tue Sep 13 07:51:46 UTC 2022 x86_64 GNU/Linux
(Docker; Alpine)

git-secret path: (which git-secret) …

/usr/bin/git-secret

git-secret version: (git secret --version) …

0.5.0

git version: (git --version) …

git version 2.38.5

Shell type and version: ($SHELL --version) …

GNU bash, version 5.2.15(1)-release (x86_64-alpine-linux-musl)

gpg version: (gpg --version) …

gpg (GnuPG) 2.2.40
paslandau commented 1 year ago

FYI: As a workaround, we are currently using a shim for gpg that adds the --no-permission-warning back when --encrypt is used as an option:

#!/usr/bin/env bash

if [[ ! "$@" =~ "--no-permission-warning" && "$@" =~ "--encrypt" ]]
then
  /usr/bin/gpg $@ --no-permission-warning
else
  /usr/bin/gpg $@
fi

The file is located at /usr/local/bin/gpg ( /usr/local/bin/ comes first in the $PATH and will thus take precedence over the "real" gpg in /usr/bin/gpg).

But this is obviously not a desirable solution and probably has some side effects somewhere :(

This is done in our Dockerfile via:

# Note:
#  In v0.5.0 of `git-secret` the `--no-permission-warning` flag was removed from certain commands.
#  This issues a warning due to unsafe permissions when encrypting filed:
#  ```
#  gpg: WARNING: unsafe permissions on homedir
#  ```
#  Unfortunately, we cannot modify the permissions of the `homedir` in a Docker Desktop setup, because
#  the `homedir` is part of the repository and thus bind-mounted in the container:
#  ```
#  Docker Desktop sets permissions to read/write/execute for users, groups and others 0777 or a+rwx. This is not configurable.
#  ```
#  @see https://docs.docker.com/desktop/settings/windows/#file-sharing
#  Thus, we create a shim for `gpg` in `/usr/local/bin/gpg` ( `/usr/local/bin/` comes first in the $PATH 
#  and will thus take precedence over the "real" gpg in `/usr/bin/gpg` ). The shim will add the 
#  `--no-permission-warning` warning as option if:
#  - `--encrypt` is used 
#  - `--no-permission-warning` does not exist yet as an option
#  and then execute the real `gpg` with all given arguments (via `$@`) 
RUN path_to_original_gpg=$(which gpg) && \
    echo '#!/usr/bin/env bash'                                                 >> /usr/local/bin/gpg && \
    echo ''                                                                    >> /usr/local/bin/gpg && \
    echo 'if [[ ! "$@" =~ "--no-permission-warning" && "$@" =~ "--encrypt" ]]' >> /usr/local/bin/gpg && \
    echo 'then'                                                                >> /usr/local/bin/gpg && \
    echo '  '"${path_to_original_gpg}"' $@ --no-permission-warning'            >> /usr/local/bin/gpg && \
    echo 'else'                                                                >> /usr/local/bin/gpg && \
    echo '  '"${path_to_original_gpg}"' $@'                                    >> /usr/local/bin/gpg && \
    echo 'fi'                                                                  >> /usr/local/bin/gpg && \
    chmod +x /usr/local/bin/gpg