From: Julien Moutinho <julm+public-inbox@sourcephile.fr>
To: meta@public-inbox.org
Subject: Test failures due to core.sharedRepository and
Date: Mon, 24 Oct 2022 23:58:22 +0200 [thread overview]
Message-ID: <20221024215822.azmu2egkibe73rc3@sourcephile.fr> (raw)
sandboxing
Reply-To:
Hi!
While updating from 1.8.0 to 1.9.0, I've stumbled upon
that failure in t/lei-q-kw.t (but other tests fail for the same reason):
> ok 52 - lei import -F eml t/x-unknown-alpine.eml
> not ok 53 - no errors importing previous external-only message
> # Failed test 'no errors importing previous external-only message'
> # at t/lei-q-kw.t line 181.
> # got: 'error: unable to create temporary file: Operation not permitted
> # fatal: failed to write object
> # '
> # expected: ''
strace -f prove -bvw t/lei-q-kw.t
revealed this EPERM:
> chmod("/build/tmp/pi-lei-q-kw-1976-HlW5/lei-daemon/.local/share/lei/store/local/0.git/objects/pack", 02700) = -1 EPERM (Operation not permitted)
Turns out this is another consequence of running inside nix's sandbox:
> ; Disallow creating setuid/setgid binaries, since that
> ; would allow breaking build user isolation.
> (deny file-write-setugid)
https://github.com/NixOS/nix/blob/b3d2a05c59266688aa904d5fb326394cbb7e9e90/src/libstore/sandbox-defaults.sb#L5-L7
https://github.com/NixOS/nix/blob/b3d2a05c59266688aa904d5fb326394cbb7e9e90/src/libstore/build/local-derivation-goal.cc#L1555-L1568
That SGID bit in 2700 is due to git's FORCE_DIR_SET_GID:
> if (S_ISDIR(old_mode)) {
> /* Copy read bits to execute bits */
> new_mode |= (new_mode & 0444) >> 2;
> new_mode |= FORCE_DIR_SET_GID;
> }
https://github.com/git/git/blob/1fc3c0ad407008c2f71dd9ae1241d8b75f8ef886/path.c#L901-L905
which is enabled when public-inbox sets core.sharedRepository:
> $self->git->qx(qw(config core.sharedRepository 0600));
https://public-inbox.org/public-inbox.git/tree/lib/PublicInbox/ExtSearchIdx.pm?id=0881010d123914be5e47544229e2b03412a6a691#n1231
Eric, do you think something can be done to accomodate nix's sandbox?
otherwise I can disable those failing tests.
Cheers,
next reply other threads:[~2022-10-24 21:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-24 21:58 Julien Moutinho [this message]
2022-10-25 10:17 ` Test failures due to core.sharedRepository and Eric Wong
2022-10-25 16:49 ` Test failures due to core.sharedRepository and sandboxing Julien Moutinho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221024215822.azmu2egkibe73rc3@sourcephile.fr \
--to=julm+public-inbox@sourcephile.fr \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).