Today I took a look at one particular git repository’s configuration and saw something slightly off in the configuration for a credential helper, dating from an old experiment with AWS CodeCommit. I decided to dig deeper to figure out what the actual rules are for shell commands inside git configuration files. This side-diversion took a bit longer than expected. It’s a Sunday. Ah well. I’ve seen too much cargo-culted incorrect information online, so it was time to figure out an accurate answer.
My home router is a Turris Omnia, which provides the option for running LXC containers; I use this for SSH jumphosts and other such things as belong “on the router itself”. Last night I decided that it was time to install an Alpine Linux container, to complement the Debian container which has been predominantly used to date. This presented a few issues, but all was done. In this post: networking from no-network, CIDR (classless) routes accepted over DHCP, and other quirks.
Using macOS with Docker can be “interesting”. When I got started, I followed the useful advice at https://pilsniak.com/how-to-install-docker-on-mac-os-using-brew/. This approach appealed to me, especially the use of xhyve. Because sometimes I just make life difficult for myself. Thus my initial setup was: brew install docker docker-machine xhyve docker-machine-driver-xhyve f=/usr/local/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve sudo chown root:wheel $f; sudo chmod u+s $f # because yay, more setuid root binaries; it's written in Go, which is # something at least.
I’d like to set a couple of things straight, for the record. I’ll cover the post/blog, and then I’d like to counter some misconceptions. While part of me thinks “I must’ve been very unclear to have so many people misunderstand”, I also saw how many people commented without bothering to read, so really there’s a limit to how much self-flagellation will happen. I am not a security researcher. I do not try to get bug bounties.
This is a tale of two attitudes. Working on a project for a client recently, I needed to speak the SSH protocol in Golang code. So I started with the x/crypto/ssh package, part of the suite of libraries from the Golang developers which is not part of the standard library and not part of their usual compatibility guarantees, but more along the lines of “useful stuff which might graduate to the standard library”.