unofficial mirror of meta@public-inbox.org
 help / color / mirror / Atom feed
From: Julien Moutinho <julm+public-inbox@sourcephile.fr>
To: meta@public-inbox.org
Subject: Test failures due to core.sharedRepository and
Date: Mon, 24 Oct 2022 23:58:22 +0200	[thread overview]
Message-ID: <20221024215822.azmu2egkibe73rc3@sourcephile.fr> (raw)

sandboxing
Reply-To:

Hi!

While updating from 1.8.0 to 1.9.0, I've stumbled upon
that failure in t/lei-q-kw.t (but other tests fail for the same reason):
> ok 52 - lei import -F eml t/x-unknown-alpine.eml
> not ok 53 - no errors importing previous external-only message
> #   Failed test 'no errors importing previous external-only message'
> #   at t/lei-q-kw.t line 181.
> #          got: 'error: unable to create temporary file: Operation not permitted
> # fatal: failed to write object
> # '
> #     expected: ''

strace -f prove -bvw t/lei-q-kw.t
revealed this EPERM:
> chmod("/build/tmp/pi-lei-q-kw-1976-HlW5/lei-daemon/.local/share/lei/store/local/0.git/objects/pack", 02700) = -1 EPERM (Operation not permitted)

Turns out this is another consequence of running inside nix's sandbox:
> ; Disallow creating setuid/setgid binaries, since that
> ; would allow breaking build user isolation.
> (deny file-write-setugid)
https://github.com/NixOS/nix/blob/b3d2a05c59266688aa904d5fb326394cbb7e9e90/src/libstore/sandbox-defaults.sb#L5-L7
https://github.com/NixOS/nix/blob/b3d2a05c59266688aa904d5fb326394cbb7e9e90/src/libstore/build/local-derivation-goal.cc#L1555-L1568

That SGID bit in 2700 is due to git's FORCE_DIR_SET_GID:
> if (S_ISDIR(old_mode)) {
>   /* Copy read bits to execute bits */
>   new_mode |= (new_mode & 0444) >> 2;
>   new_mode |= FORCE_DIR_SET_GID;
> }
https://github.com/git/git/blob/1fc3c0ad407008c2f71dd9ae1241d8b75f8ef886/path.c#L901-L905

which is enabled when public-inbox sets core.sharedRepository:
> $self->git->qx(qw(config core.sharedRepository 0600));
https://public-inbox.org/public-inbox.git/tree/lib/PublicInbox/ExtSearchIdx.pm?id=0881010d123914be5e47544229e2b03412a6a691#n1231

Eric, do you think something can be done to accomodate nix's sandbox?
otherwise I can disable those failing tests.

Cheers,

             reply	other threads:[~2022-10-24 21:58 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-24 21:58 Julien Moutinho [this message]
2022-10-25 10:17 ` Test failures due to core.sharedRepository and Eric Wong
2022-10-25 16:49   ` Test failures due to core.sharedRepository and sandboxing Julien Moutinho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://public-inbox.org/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221024215822.azmu2egkibe73rc3@sourcephile.fr \
    --to=julm+public-inbox@sourcephile.fr \
    --cc=meta@public-inbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).