Opened 7 years ago
Closed 7 years ago
#13631 closed defect (fixed)
Sage refuses to run despite safe directory
Reported by: | vbraun | Owned by: | mvngu |
---|---|---|---|
Priority: | blocker | Milestone: | sage-5.4 |
Component: | doctest coverage | Keywords: | |
Cc: | jdemeyer | Merged in: | sage-5.4.rc3 |
Authors: | Jeroen Demeyer | Reviewers: | Volker Braun |
Report Upstream: | N/A | Work issues: | |
Branch: | Commit: | ||
Dependencies: | Stopgaps: |
Description (last modified by )
Something is wrong with the patch at #13579. This breaks the patchbot on Fedora:
(sage-sh) patchbot@volker-desktop:sage$ python -Werror -c '' RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group. Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory (sage-sh) patchbot@volker-desktop:sage$ ls -ald . drwxrwxr-x. 7 patchbot patchbot 4096 Oct 20 11:24 . (sage-sh) patchbot@volker-desktop:sage$ umask 0002 (sage-sh) patchbot@volker-desktop:sage$ groups patchbot (sage-sh) patchbot@volker-desktop:sage$ id uid=1001(patchbot) gid=1001(patchbot) groups=1001(patchbot) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Updated spkg: http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p2.spkg (diff: python-2.7.3.p2.diff)
Apply 13631_untar.patch to the Sage root repository.
Attachments (2)
Change History (15)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
Hugh, could you provide the same information as Volker (umask
, group ids, permissions of the relevant directory).
Also, Volker and Hugh: which version of Sage are you talking about? In particular, is #13459 applied?
comment:3 Changed 7 years ago by
Looks like we should check the umask for python -c
comment:4 Changed 7 years ago by
- Priority changed from major to blocker
comment:5 Changed 7 years ago by
I was running 5.4.rc2.
I'm not sure which directory is relevant. The directory which it refused to run doctests in was one that had just been created by the patchbot, /home/hugh/sage-5.4.rc2/devel/sage-0. In that directory, I get the following:
hugh@hugh-laptop:~/sage-5.4.rc2/devel$ cd sage-0/ hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ ls -ald . drwxrwxr-x 7 hugh hugh 4096 2012-10-20 22:45 . hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ umask 0002 hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ groups hugh adm dialout cdrom plugdev lpadmin admin sambashare hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ id uid=1000(hugh) gid=1000(hugh) groups=1000(hugh),4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare)
I don't know what the output from these commands means, so please let me know if you need more or different information.
comment:6 Changed 7 years ago by
I can get the same error without the patchbot.
hugh@hugh-laptop:~$ cd sage-5.4.rc2/devel/sage-main/ hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-main$ ../../sage -t sage/combinat/tableau.py Traceback (most recent call last): File "/home/hugh/sage-5.4.rc2/local/bin/sage-test", line 53, in <module> .format(os.getcwd())) RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-main' since untrusted users could put files in this directory, making it unsafe to run Sage code from
I get the same output from the above commands (ls, etc.) in sage-main as in sage-0.
It works fine if I run sage -t from ~/sage-5.4.rc2. There, I get:
hugh@hugh-laptop:~/sage-5.4.rc2$ ls -ald . drwxr-xr-x 9 hugh hugh 4096 2012-10-20 22:44 .
I get same error as above if I run sage -t from ~/sage-5.4.rc2/devel, where the output from ls -ald ., etc., looks very similar. to sage-5.4.rc2/devel/sage-main.
comment:7 Changed 7 years ago by
I'm talking about Sage-5.4.rc2 (which is the first one with your Python patch). The problem is the
if ((arg_stat.st_mode & 0022) == 0 && (program_stat.st_mode & 0022) == 0)
check, thats too restrictive. If you have your own group then its perfectly save to for the directory to be group-writable, and indeed Fedora sets you up with umask 0002
in that case.
comment:8 Changed 7 years ago by
- Description modified (diff)
Changed 7 years ago by
comment:9 Changed 7 years ago by
- Description modified (diff)
- Status changed from new to needs_review
comment:10 Changed 7 years ago by
- Reviewers set to Volker Braun
- Status changed from needs_review to positive_review
Looks good to me. Fixes the patchbot on Fedora 17, at least.
comment:11 Changed 7 years ago by
Also fixed for me (Ubuntu 11.10). At any rate, the patchbot is willing to run doctests again.
The patchbot is now running the doctests. I will let you know if anything has broken.
comment:12 Changed 7 years ago by
I detected no problems.
comment:13 Changed 7 years ago by
- Merged in set to sage-5.4.rc3
- Resolution set to fixed
- Status changed from positive_review to closed
I get the following warning when I install the patchbot (sage -i patchbot). This is on ubuntu 11.10.
However, the install appears to go okay.
When I try to run the patchbot, though, it complains (after the building process goes fine, apparently):