So our Security department has found a major bug with all Git Clients that access Git repositories. https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
Im wondering if anyone knows what the most popular Git Clients are on Mac OS x.
Thanks!
Anyone have more info on this for an EA for Git Versions? The script works for me put I have to remove "| sed 's/\\/usr\\/bin://g'" in the current path variable. However, removing this also prompts the pop-up for developer tools.
Anyone have more info on this for an EA for Git Versions? The script works for me put I have to remove "| sed 's/\\/usr\\/bin://g'" in the current path variable. However, removing this also prompts the pop-up for developer tools.
I'm also looking into this as we've had some issue with the previously working script on Silicon Macs, now that there's a new vulnerability.
Throwing my hat into the ring here. We have a new git vulnerability on our Qualys scans and from what i'm seeing with the latest apple cli dev tools install it's installing a vulnerable version(2.37.1 of Apple Git). We blocked HomeBrew about a year or so ago due to other Security concerns, so all of the machines should be either Apple's devtool CLI install, or one of the other GUI git versions. Does anyone have an EA to detect these on intel and ARM chipset devices(mix of macOS 10.15.7, 11.x, 12.x and now thanks to no more majorOS deferrals and non admin users being able to upgrade to macOS 13, also macOS 13 devices :) )
I'm also looking to create an EA to lookup the git version of Apple git and brew. If anyone has a script for it, please share.
We're doing the same @jonlju
I think we're just going to force everyone with a custom version of git onto 2.30.2 and add the symlink work around to all machines with the basic apple git. I've hacked the EA above to suit my needs to make a brew only EA. Compare the version to a hardcoded one and give an output of 'Safe' 'Unsafe' or 'Not Installed'
Safe = Do nothing
Unsafe = run git upgrade script
Not Installed = run symlinks workaround
#!/bin/sh
###
# Checks to see if git has been installed via homebrew and returns 'Not Installed' if not. If so, it will return 'Safe' or 'Unsafe' with the version number comparing against a hardcoded approved version which you set in this EA
###
CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g' | sed 's//Library/Apple/usr/bin//g'" )
RESULT=""
APPROVEDVERSION=2.30.2
old=$IFS
IFS=:
for p in $CURRENT_PATH; do
GIT_VERSION="$($p/git --version 2> /dev/null)"
if [[ $? == 0 ]]; then
RESULT+="$p $GIT_VERSION"
VERSION=$(echo "$RESULT" | awk '{ print $4}')
#VERSION=2.40.1
fi
done
IFS=$old
INSTVERSION=$(echo "$VERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')
APPVERSION=$(echo "$APPROVEDVERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')
if [[ $VERSION = "" ]]; then
echo "<result>Not Installed</result>"
else
if [[ $INSTVERSION -ge $APPVERSION ]]; then
echo "<result>Safe - $VERSION</result>"
else
echo "<result>Unsafe - $VERSION</result>"
fi
fi
exit 0Do you know if users will get 'please install development' tools message if their computer does not have Xcode CLT installed?
I'm also looking to create an EA to lookup the git version of Apple git and brew. If anyone has a script for it, please share.
Same here...
I'm also looking to create an EA to lookup the git version of Apple git and brew. If anyone has a script for it, please share.
Since Jamf runs as root and, thus, does not abide by a user's PATH, the default command will function and tell you that it's v. 2.24.3. The command is: git --version | awk '{ print $3 }'
For Homebrew, things have gotten weird. Since people can transfer from an Intel to an M1, some Homebrew apps can remain in the old folder structure even after running the proper Homebrew migration programs.
So, I decided to set up two separate, very simplified, Extension Attributes. Rather than attempting to pull the whole path and cut it up from there, which seemed to fail after all of my runs within a root terminal, it specifies the Homebrew installation folders directly and ignores everything else. This might not be okay for some who are required to search all folders for any possible git executable.
#!/bin/sh
# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto
# Default result is "Unknown"
RESULT="Unknown"
# Check if git exists
if [[ -e /opt/homebrew/bin/git ]]; then
# If it exists, gather the version.
GIT_VERSION=$(/opt/homebrew/bin/git --version | awk '{ print $3 }')
# If GIT_VERSION is not empty, set it as the new RESULT
if [[ -n "$GIT_VERSION" ]]; then
RESULT=$GIT_VERSION
fi
fi
echo "<result>$RESULT</result>"
#END
The Intel version is the same, substituting in /usr/local/bin/git as the filename. So far, the ARM one is working. I don't see a reason the Intel one wouldn't, but cannot confirm it just yet as I uploaded them like 5 minutes ago.
I default the return value to "Unknown". Thus, you'll see that as a "yes this ran but found no answer", differentiating it from those that have not run yet.
Since Jamf runs as root and, thus, does not abide by a user's PATH, the default command will function and tell you that it's v. 2.24.3. The command is: git --version | awk '{ print $3 }'
For Homebrew, things have gotten weird. Since people can transfer from an Intel to an M1, some Homebrew apps can remain in the old folder structure even after running the proper Homebrew migration programs.
So, I decided to set up two separate, very simplified, Extension Attributes. Rather than attempting to pull the whole path and cut it up from there, which seemed to fail after all of my runs within a root terminal, it specifies the Homebrew installation folders directly and ignores everything else. This might not be okay for some who are required to search all folders for any possible git executable.
#!/bin/sh
# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto
# Default result is "Unknown"
RESULT="Unknown"
# Check if git exists
if [[ -e /opt/homebrew/bin/git ]]; then
# If it exists, gather the version.
GIT_VERSION=$(/opt/homebrew/bin/git --version | awk '{ print $3 }')
# If GIT_VERSION is not empty, set it as the new RESULT
if [[ -n "$GIT_VERSION" ]]; then
RESULT=$GIT_VERSION
fi
fi
echo "<result>$RESULT</result>"
#END
The Intel version is the same, substituting in /usr/local/bin/git as the filename. So far, the ARM one is working. I don't see a reason the Intel one wouldn't, but cannot confirm it just yet as I uploaded them like 5 minutes ago.
I default the return value to "Unknown". Thus, you'll see that as a "yes this ran but found no answer", differentiating it from those that have not run yet.
Nice! I think with this modification it will work for both arm64 and Intel in the same extension attribute.
#!/bin/sh
# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto
# Default result is "Unknown"
RESULT="Unknown"
# Get machine type
UNAME_MACHINE="$(uname -m)"
# Set the prefix based on the machine type
if [[ "$UNAME_MACHINE" == "arm64" ]]; then
# M1/arm64 machines
HOMEBREW_PREFIX="/opt/homebrew"
else
# Intel machines
HOMEBREW_PREFIX="/usr/local"
fi
# Check if git exists
if [[ -e $HOMEBREW_PREFIX/bin/git ]]; then
# If it exists, gather the version.
GIT_VERSION=$($HOMEBREW_PREFIX/bin/git --version | awk '{ print $3 }')
# If GIT_VERSION is not empty, set it as the new RESULT
if [[ -n "$GIT_VERSION" ]]; then
RESULT=$GIT_VERSION
fi
fi
echo "<result>$RESULT</result>"
#END
Using CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console) you could also run commands as the current user to find if Apple Git is installed (if it is, we'd want to make sure the Homebrew version gets installed as the active Git version). The problem is that running git --version on a Mac will trigger the installation of developer tools if it's not already installed, so it'd have to find a way to not trigger that.
Since Jamf runs as root and, thus, does not abide by a user's PATH, the default command will function and tell you that it's v. 2.24.3. The command is: git --version | awk '{ print $3 }'
For Homebrew, things have gotten weird. Since people can transfer from an Intel to an M1, some Homebrew apps can remain in the old folder structure even after running the proper Homebrew migration programs.
So, I decided to set up two separate, very simplified, Extension Attributes. Rather than attempting to pull the whole path and cut it up from there, which seemed to fail after all of my runs within a root terminal, it specifies the Homebrew installation folders directly and ignores everything else. This might not be okay for some who are required to search all folders for any possible git executable.
#!/bin/sh
# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto
# Default result is "Unknown"
RESULT="Unknown"
# Check if git exists
if [[ -e /opt/homebrew/bin/git ]]; then
# If it exists, gather the version.
GIT_VERSION=$(/opt/homebrew/bin/git --version | awk '{ print $3 }')
# If GIT_VERSION is not empty, set it as the new RESULT
if [[ -n "$GIT_VERSION" ]]; then
RESULT=$GIT_VERSION
fi
fi
echo "<result>$RESULT</result>"
#END
The Intel version is the same, substituting in /usr/local/bin/git as the filename. So far, the ARM one is working. I don't see a reason the Intel one wouldn't, but cannot confirm it just yet as I uploaded them like 5 minutes ago.
I default the return value to "Unknown". Thus, you'll see that as a "yes this ran but found no answer", differentiating it from those that have not run yet.
Thanks @dave_segreto this worked, I did have to modify the path for intel to use /usr/bin/git
Using /usr/local/bin/git returned Unknown result.
Thanks @dave_segreto this worked, I did have to modify the path for intel to use /usr/bin/git
Using /usr/local/bin/git returned Unknown result.
Oh, interesting. Any idea when Homebrew changed the default installation location? I wonder if it's worth adding a method for checking both locations for x86 machines.
Nice! I think with this modification it will work for both arm64 and Intel in the same extension attribute.
#!/bin/sh
# Extension attribute for a Homebrew installed git on ARM Macs
# Dave Segreto
# Default result is "Unknown"
RESULT="Unknown"
# Get machine type
UNAME_MACHINE="$(uname -m)"
# Set the prefix based on the machine type
if [[ "$UNAME_MACHINE" == "arm64" ]]; then
# M1/arm64 machines
HOMEBREW_PREFIX="/opt/homebrew"
else
# Intel machines
HOMEBREW_PREFIX="/usr/local"
fi
# Check if git exists
if [[ -e $HOMEBREW_PREFIX/bin/git ]]; then
# If it exists, gather the version.
GIT_VERSION=$($HOMEBREW_PREFIX/bin/git --version | awk '{ print $3 }')
# If GIT_VERSION is not empty, set it as the new RESULT
if [[ -n "$GIT_VERSION" ]]; then
RESULT=$GIT_VERSION
fi
fi
echo "<result>$RESULT</result>"
#END
Using CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console) you could also run commands as the current user to find if Apple Git is installed (if it is, we'd want to make sure the Homebrew version gets installed as the active Git version). The problem is that running git --version on a Mac will trigger the installation of developer tools if it's not already installed, so it'd have to find a way to not trigger that.
Awesome. I decided to use separate EAs in case anyone transferred from an x86 to an M1 and, thus, has both git locations installed. I noticed this happen on my own machine.
I also found that using the CURRENT_USER trick failed on some machines. I suspect that this also affected machines that had Homebrew transferred. The new PATH wasn't added for the root user. So, while maybe the user would add it locally to their .zshrc or .bashrc file, Jamf would not register that change when it runs the command.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.