Opened 7 years ago

Closed 7 years ago

#13631 closed defect (fixed)

Sage refuses to run despite safe directory

Reported by: vbraun Owned by: mvngu
Priority: blocker Milestone: sage-5.4
Component: doctest coverage Keywords:
Cc: jdemeyer Merged in: sage-5.4.rc3
Authors: Jeroen Demeyer Reviewers: Volker Braun
Report Upstream: N/A Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Description (last modified by jdemeyer)

Something is wrong with the patch at #13579. This breaks the patchbot on Fedora:

(sage-sh) patchbot@volker-desktop:sage$ python -Werror -c ''
RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
(sage-sh) patchbot@volker-desktop:sage$ ls -ald .
drwxrwxr-x. 7 patchbot patchbot 4096 Oct 20 11:24 .
(sage-sh) patchbot@volker-desktop:sage$ umask
0002
(sage-sh) patchbot@volker-desktop:sage$ groups
patchbot
(sage-sh) patchbot@volker-desktop:sage$ id
uid=1001(patchbot) gid=1001(patchbot) groups=1001(patchbot) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Updated spkg: http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p2.spkg (diff: python-2.7.3.p2.diff)

Apply 13631_untar.patch to the Sage root repository.

Attachments (2)

python-2.7.3.p2.diff (2.1 KB) - added by jdemeyer 7 years ago.
Diff for the python spkg. For reference / review only.
13631_untar.patch (1.1 KB) - added by jdemeyer 7 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 7 years ago by hthomas

I get the following warning when I install the patchbot (sage -i patchbot). This is on ubuntu 11.10.

>>> Checking online list of optional packages.
sys:1: RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
[.]
>>> Found patchbot-1.1.
>>> Downloading patchbot-1.1.spkg.
sys:1: RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
[......]
patchbot-1.1

However, the install appears to go okay.

When I try to run the patchbot, though, it complains (after the building process goes fine, apparently):

========== end plugins.docbuild ==========
$SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
Global iterations: 1
File iterations: 1
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/sage-ptest", line 80, in <module>
    .format(os.getcwd()))
RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-0' since untrusted users could put files in this directory, making it unsafe to run Sage code from
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/patchbot.py", line 416, in test_a_ticket
    do_or_die("$SAGE_ROOT/sage %s %s" % (test_cmd, ' '.join(test_dirs)))
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/util.py", line 62, in do_or_die
    raise Exception, "%s %s" % (res, cmd)
Exception: 256 $SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
2012-10-20 23:08:09 -0700
1439 seconds
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/patchbot.py", line 416, in test_a_ticket
    do_or_die("$SAGE_ROOT/sage %s %s" % (test_cmd, ' '.join(test_dirs)))
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/util.py", line 62, in do_or_die
    raise Exception, "%s %s" % (res, cmd)
Exception: 256 $SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
Reporting 0 TestsFailed
0 TestsFailed
ok
Done reporting 0



Failing tests in your install: TestsFailed. Continue anyways? [y/N] 

comment:2 Changed 7 years ago by jdemeyer

Hugh, could you provide the same information as Volker (umask, group ids, permissions of the relevant directory).

Also, Volker and Hugh: which version of Sage are you talking about? In particular, is #13459 applied?

comment:3 Changed 7 years ago by jdemeyer

Looks like we should check the umask for python -c

comment:4 Changed 7 years ago by jdemeyer

  • Priority changed from major to blocker

comment:5 Changed 7 years ago by hthomas

I was running 5.4.rc2.

I'm not sure which directory is relevant. The directory which it refused to run doctests in was one that had just been created by the patchbot, /home/hugh/sage-5.4.rc2/devel/sage-0. In that directory, I get the following:

hugh@hugh-laptop:~/sage-5.4.rc2/devel$ cd sage-0/
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ ls -ald .
drwxrwxr-x 7 hugh hugh 4096 2012-10-20 22:45 .
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ umask
0002
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ groups
hugh adm dialout cdrom plugdev lpadmin admin sambashare
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ id
uid=1000(hugh) gid=1000(hugh) groups=1000(hugh),4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare)

I don't know what the output from these commands means, so please let me know if you need more or different information.

comment:6 Changed 7 years ago by hthomas

I can get the same error without the patchbot.

hugh@hugh-laptop:~$ cd sage-5.4.rc2/devel/sage-main/
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-main$ ../../sage -t sage/combinat/tableau.py 
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/sage-test", line 53, in <module>
    .format(os.getcwd()))
RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-main' since untrusted users could put files in this directory, making it unsafe to run Sage code from

I get the same output from the above commands (ls, etc.) in sage-main as in sage-0.

It works fine if I run sage -t from ~/sage-5.4.rc2. There, I get:

hugh@hugh-laptop:~/sage-5.4.rc2$ ls -ald .
drwxr-xr-x 9 hugh hugh 4096 2012-10-20 22:44 .

I get same error as above if I run sage -t from ~/sage-5.4.rc2/devel, where the output from ls -ald ., etc., looks very similar. to sage-5.4.rc2/devel/sage-main.

comment:7 Changed 7 years ago by vbraun

I'm talking about Sage-5.4.rc2 (which is the first one with your Python patch). The problem is the

if ((arg_stat.st_mode & 0022) == 0 && (program_stat.st_mode & 0022) == 0)

check, thats too restrictive. If you have your own group then its perfectly save to for the directory to be group-writable, and indeed Fedora sets you up with umask 0002 in that case.

comment:8 Changed 7 years ago by jdemeyer

  • Authors set to Jeroen Demeyer
  • Description modified (diff)

Changed 7 years ago by jdemeyer

Diff for the python spkg. For reference / review only.

Changed 7 years ago by jdemeyer

comment:9 Changed 7 years ago by jdemeyer

  • Description modified (diff)
  • Status changed from new to needs_review

comment:10 Changed 7 years ago by vbraun

  • Reviewers set to Volker Braun
  • Status changed from needs_review to positive_review

Looks good to me. Fixes the patchbot on Fedora 17, at least.

comment:11 Changed 7 years ago by hthomas

Also fixed for me (Ubuntu 11.10). At any rate, the patchbot is willing to run doctests again.

The patchbot is now running the doctests. I will let you know if anything has broken.

comment:12 Changed 7 years ago by hthomas

I detected no problems.

comment:13 Changed 7 years ago by jdemeyer

  • Merged in set to sage-5.4.rc3
  • Resolution set to fixed
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.