From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 2 May 2022 08:51:25 +0000 (+0200)
Subject: testing: Fix 'unsafe repository' error when accessing Git repository
X-Git-Tag: 5.9.7dr1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc094c30d162c90120059be50df4c7d88b79f345;p=thirdparty%2Fstrongswan.git

testing: Fix 'unsafe repository' error when accessing Git repository

A recent security fix for Git added a fatal error if the directory that
contains the .git directory is not owned by the user that runs git in
that directory tree:

  Determine strongSwan version fatal: unsafe repository ('...' is owned by someone else)

To avoid this, we call the git commands as owner of the source
directory (the script has to run as root, so this is no problem).

The user/group ID and name is now also determined via `stat(1)` so it
directly depends on the actual source dir and should work even when not
using sudo.
---

diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan
index 4b2de3ffcb..f7eeb6fede 100755
--- a/testing/scripts/build-strongswan
+++ b/testing/scripts/build-strongswan
@@ -8,9 +8,6 @@ DIR=$(dirname `readlink -f $0`)
 [ -f "$BASEIMG" ] || die "Base image $BASEIMG not found"
 running_any $STRONGSWANHOSTS && die "Please stop test environment before running $0"
 
-SRCUID=${SUDO_UID:-$(id -u)}
-SRCGID=${SUDO_GID:-$(id -g)}
-
 check_commands partprobe qemu-img qemu-nbd
 
 load_qemu_nbd
@@ -137,15 +134,19 @@ log_action "Remove SWID tags of previous strongSwan versions"
 execute_chroot "find /usr/local/share -path '*strongswan*' -name *.swidtag -delete"
 
 if [ -z "$TARBALL" ]; then
+	SRCUID=$(stat -c '%u' $SWANDIR)
+	SRCGID=$(stat -c '%g' $SWANDIR)
+	SRCUSER=$(stat -c '%U' $SWANDIR)
+
 	mkdir -p $LOOPDIR/root/strongswan
 	log_action "Mounting $SWANDIR as /root/strongswan"
 	execute "bindfs -u $SRCUID -g $SRCGID --create-for-user=$SRCUID --create-for-group=$SRCGID $SWANDIR $LOOPDIR/root/strongswan"
 	do_on_exit umount $LOOPDIR/root/strongswan
 
 	log_action "Determine strongSwan version"
-	desc=`git -C $SWANDIR describe --exclude 'android-*' --dirty`
+	desc=`runuser -u $SRCUSER -- git -C $SWANDIR describe --exclude 'android-*' --dirty`
 	if [ $? -eq 0 ]; then
-		version="$desc (`git -C $SWANDIR rev-parse --abbrev-ref HEAD`)"
+		version="$desc (`runuser -u $SRCUSER -- git -C $SWANDIR rev-parse --abbrev-ref HEAD`)"
 	else
 		version="`cat $SWANDIR/configure.ac | sed -n '/^AC_INIT/{ s/.*,\[\(.*\)\])$/\1/p }'`"
 	fi