git-maintenance doesn't work with git-credential-manager & pass #625
Description
- I was not able to find an open
or closed issue matching
what I'm seeing, including in thegit-for-windows/gittracker.
Setup
- Which version of
microsoft/gitare you using? Is it 32-bit or 64-bit?
$ git --version --build-options
git version 2.43.0.vfs.0.0
cpu: x86_64
built from commit: b7a6ed788a205fb2c0013111d277b4c9d6ab35bd
sizeof-long: 8
sizeof-size_t: 8
shell-path: /bin/sh
Are you using Scalar or VFS for Git?
Yes (scalar)
- Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?
Nope, it's Ubuntu 22.04 jammy.
- Any other interesting things about your environment that might be related
to the issue you're seeing?
$ git-credential-manager --version
2.4.1
$ pass --version
============================================
= pass: the standard unix password manager =
= =
= v1.7.4 =
= =
= Jason A. Donenfeld =
= Jason@zx2c4.com =
= =
= http://www.passwordstore.org/ =
============================================
Details
- What commands did you run to trigger this issue? If you can provide a
Minimal, Complete, and Verifiable example
this will help us understand the issue.
$ sudo apt install pass
# Follow https://github.com/git-ecosystem/git-credential-manager/blob/release/docs/install.md#install-2
$ git config --global credential.credentialStore gpg # make gcm use pass as its credstore
# try cloning a private repo
$ pass list
# confirm that the auth data is listed correctly
$ scalar register path/to/private/repo
$ systemctl --user start git-maintenance@hourly.service || systemctl --user status git-maintenance@hourly.service
- What did you expect to occur after running these commands?
The command succeeds.
- What actually happened instead?
@ systemctl --user daemon-reload && systemctl --user start git-maintenance@hourly.service; systemctl --user status git-maintenance@hourly.service
Job for git-maintenance@hourly.service failed because the control process exited with error code.
See "systemctl --user status git-maintenance@hourly.service" and "journalctl --user -xeu git-maintenance@hourly.service" for details.
× git-maintenance@hourly.service - Optimize Git repositories data
Loaded: loaded (/home/ned/.config/systemd/user/git-maintenance@.service; static)
Active: failed (Result: exit-code) since Wed 2024-02-07 17:32:01 KST; 8ms ago
TriggeredBy: ● git-maintenance@hourly.timer
Process: 4051421 ExecStart=/usr/local/lib/git-core/git --exec-path=/usr/local/lib/git-core -c credential.interactive=false -c core.askPass=true for-each-repo --config=maintenance.repo maintenance run >
Main PID: 4051421 (code=exited, status=1/FAILURE)
CPU: 31ms
Feb 07 17:32:01 xxx systemd[1292]: Starting Optimize Git repositories data...
Feb 07 17:32:01 xxx git[4051425]: fatal: unable to get password from user
Feb 07 17:32:01 xxx git[4051422]: error: failed to prefetch remotes
Feb 07 17:32:01 xxx git[4051422]: error: task 'prefetch' failed
Feb 07 17:32:01 xxx systemd[1292]: git-maintenance@hourly.service: Main process exited, code=exited, status=1/FAILURE
Feb 07 17:32:01 xxx systemd[1292]: git-maintenance@hourly.service: Failed with result 'exit-code'.
Feb 07 17:32:01 xxx systemd[1292]: Failed to start Optimize Git repositories data.
- If the problem was occurring with a specific repository, can you specify
the repository?
I believe this is repo-agnostic
Additional info
Similar to #604 I've found that the problem resolves when I try to comment out two lines from ~/.config/systemd/user/git-maintenance@.service:
# This file was created and is maintained by Git.
# Any edits made in this file might be replaced in the future
# by a Git command.
[Unit]
Description=Optimize Git repositories data
[Service]
Type=oneshot
ExecStart="/usr/local/lib/git-core/git" --exec-path="/usr/local/lib/git-core" -c credential.interactive=false -c core.askPass=true for-each-repo --config=maintenance.repo maintenance run --schedule=%i
LockPersonality=yes
# MemoryDenyWriteExecute=yes # <----------
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_VSOCK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
# SystemCallFilter=@system-service # <----------
- The second comment-out enables
passto work. Otherwise changing ExecStart tobash -c 'pass list'shows as if pass has an empty password store. I have no clue what syscalls other than@system-serviceis needed for pass to work. - The first one enables
git-credential-managerto run. Otherwise changing ExecStart tobash -c '(echo ...) | git-credential-manager get'segfaults. For this one though I understand whyMemoryDenyWriteExecuteis needed since gcm is a dotnet application which may use JIT.
I didn't check if the upstream git has the same problem (it probably has), but since git-maintenance is probably mostly used by scalar I felt this issue is to be reported here.
X-post (gcm): git-ecosystem/git-credential-manager#1521