Sage: Ticket #13631: Sage refuses to run despite safe directory
https://trac.sagemath.org/ticket/13631
<p>
Something is wrong with the patch at <a class="closed ticket" href="https://trac.sagemath.org/ticket/13579" title="defect: Python sys.path security risk (closed: fixed)">#13579</a>. This breaks the patchbot on Fedora:
</p>
<pre class="wiki">(sage-sh) patchbot@volker-desktop:sage$ python -Werror -c ''
RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
(sage-sh) patchbot@volker-desktop:sage$ ls -ald .
drwxrwxr-x. 7 patchbot patchbot 4096 Oct 20 11:24 .
(sage-sh) patchbot@volker-desktop:sage$ umask
0002
(sage-sh) patchbot@volker-desktop:sage$ groups
patchbot
(sage-sh) patchbot@volker-desktop:sage$ id
uid=1001(patchbot) gid=1001(patchbot) groups=1001(patchbot) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
</pre><p>
Updated <strong>spkg</strong>: <a class="ext-link" href="http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p2.spkg"><span class="icon"></span>http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p2.spkg</a> (diff: <a class="attachment" href="https://trac.sagemath.org/attachment/ticket/13631/python-2.7.3.p2.diff" title="Attachment 'python-2.7.3.p2.diff' in Ticket #13631">python-2.7.3.p2.diff</a><a class="trac-rawlink" href="https://trac.sagemath.org/raw-attachment/ticket/13631/python-2.7.3.p2.diff" title="Download"></a>)
</p>
<p>
<strong>Apply</strong> <a class="attachment" href="https://trac.sagemath.org/attachment/ticket/13631/13631_untar.patch" title="Attachment '13631_untar.patch' in Ticket #13631">13631_untar.patch</a><a class="trac-rawlink" href="https://trac.sagemath.org/raw-attachment/ticket/13631/13631_untar.patch" title="Download"></a> to the Sage root repository.
</p>
en-usSagehttps://trac.sagemath.org/chrome/site/logo_sagemath_trac.png
https://trac.sagemath.org/ticket/13631
Trac 1.1.6hthomasSun, 21 Oct 2012 06:14:18 GMT
https://trac.sagemath.org/ticket/13631#comment:1
https://trac.sagemath.org/ticket/13631#comment:1
<p>
I get the following warning when I install the patchbot (sage -i patchbot). This is on ubuntu 11.10.
</p>
<pre class="wiki">>>> Checking online list of optional packages.
sys:1: RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
[.]
>>> Found patchbot-1.1.
>>> Downloading patchbot-1.1.spkg.
sys:1: RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
[......]
patchbot-1.1
</pre><p>
However, the install appears to go okay.
</p>
<p>
When I try to run the patchbot, though, it complains (after the building process goes fine, apparently):
</p>
<pre class="wiki">========== end plugins.docbuild ==========
$SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
Global iterations: 1
File iterations: 1
Traceback (most recent call last):
File "/home/hugh/sage-5.4.rc2/local/bin/sage-ptest", line 80, in <module>
.format(os.getcwd()))
RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-0' since untrusted users could put files in this directory, making it unsafe to run Sage code from
Traceback (most recent call last):
File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/patchbot.py", line 416, in test_a_ticket
do_or_die("$SAGE_ROOT/sage %s %s" % (test_cmd, ' '.join(test_dirs)))
File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/util.py", line 62, in do_or_die
raise Exception, "%s %s" % (res, cmd)
Exception: 256 $SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
2012-10-20 23:08:09 -0700
1439 seconds
Traceback (most recent call last):
File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/patchbot.py", line 416, in test_a_ticket
do_or_die("$SAGE_ROOT/sage %s %s" % (test_cmd, ' '.join(test_dirs)))
File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/util.py", line 62, in do_or_die
raise Exception, "%s %s" % (res, cmd)
Exception: 256 $SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
Reporting 0 TestsFailed
0 TestsFailed
ok
Done reporting 0
Failing tests in your install: TestsFailed. Continue anyways? [y/N]
</pre><p>
</p>
TicketjdemeyerSun, 21 Oct 2012 07:12:20 GMT
https://trac.sagemath.org/ticket/13631#comment:2
https://trac.sagemath.org/ticket/13631#comment:2
<p>
Hugh, could you provide the same information as Volker (<code>umask</code>, group ids, permissions of the relevant directory).
</p>
<p>
Also, Volker and Hugh: which version of Sage are you talking about? In particular, is <a class="closed ticket" href="https://trac.sagemath.org/ticket/13459" title="enhancement: spkg/bin/sage: do not change directory (closed: fixed)">#13459</a> applied?
</p>
TicketjdemeyerSun, 21 Oct 2012 07:13:13 GMT
https://trac.sagemath.org/ticket/13631#comment:3
https://trac.sagemath.org/ticket/13631#comment:3
<p>
Looks like we should check the umask for <code>python -c</code>
</p>
TicketjdemeyerSun, 21 Oct 2012 07:13:28 GMTpriority changed
https://trac.sagemath.org/ticket/13631#comment:4
https://trac.sagemath.org/ticket/13631#comment:4
<ul>
<li><strong>priority</strong>
changed from <em>major</em> to <em>blocker</em>
</li>
</ul>
TickeththomasSun, 21 Oct 2012 07:39:14 GMT
https://trac.sagemath.org/ticket/13631#comment:5
https://trac.sagemath.org/ticket/13631#comment:5
<p>
I was running 5.4.rc2.
</p>
<p>
I'm not sure which directory is relevant. The directory which it refused to run doctests in was one that had just been created by the patchbot, /home/hugh/sage-5.4.rc2/devel/sage-0. In that directory, I get the following:
</p>
<pre class="wiki">hugh@hugh-laptop:~/sage-5.4.rc2/devel$ cd sage-0/
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ ls -ald .
drwxrwxr-x 7 hugh hugh 4096 2012-10-20 22:45 .
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ umask
0002
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ groups
hugh adm dialout cdrom plugdev lpadmin admin sambashare
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ id
uid=1000(hugh) gid=1000(hugh) groups=1000(hugh),4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare)
</pre><p>
I don't know what the output from these commands means, so please let me know if you need more or different information.
</p>
TickeththomasSun, 21 Oct 2012 08:12:26 GMT
https://trac.sagemath.org/ticket/13631#comment:6
https://trac.sagemath.org/ticket/13631#comment:6
<p>
I can get the same error without the patchbot.
</p>
<pre class="wiki">hugh@hugh-laptop:~$ cd sage-5.4.rc2/devel/sage-main/
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-main$ ../../sage -t sage/combinat/tableau.py
Traceback (most recent call last):
File "/home/hugh/sage-5.4.rc2/local/bin/sage-test", line 53, in <module>
.format(os.getcwd()))
RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-main' since untrusted users could put files in this directory, making it unsafe to run Sage code from
</pre><p>
I get the same output from the above commands (ls, etc.) in sage-main as in sage-0.
</p>
<p>
It works fine if I run sage -t from ~/sage-5.4.rc2. There, I get:
</p>
<pre class="wiki">hugh@hugh-laptop:~/sage-5.4.rc2$ ls -ald .
drwxr-xr-x 9 hugh hugh 4096 2012-10-20 22:44 .
</pre><p>
I get same error as above if I run sage -t from ~/sage-5.4.rc2/devel, where the output from ls -ald ., etc., looks very similar. to sage-5.4.rc2/devel/sage-main.
</p>
TicketvbraunSun, 21 Oct 2012 08:40:33 GMT
https://trac.sagemath.org/ticket/13631#comment:7
https://trac.sagemath.org/ticket/13631#comment:7
<p>
I'm talking about Sage-5.4.rc2 (which is the first one with your Python patch). The problem is the
</p>
<pre class="wiki">if ((arg_stat.st_mode & 0022) == 0 && (program_stat.st_mode & 0022) == 0)
</pre><p>
check, thats too restrictive. If you have your own group then its perfectly save to for the directory to be group-writable, and indeed Fedora sets you up with umask <code>0002</code> in that case.
</p>
TicketjdemeyerMon, 29 Oct 2012 21:37:34 GMTdescription changed; author set
https://trac.sagemath.org/ticket/13631#comment:8
https://trac.sagemath.org/ticket/13631#comment:8
<ul>
<li><strong>description</strong>
modified (<a href="/ticket/13631?action=diff&version=8">diff</a>)
</li>
<li><strong>author</strong>
set to <em>Jeroen Demeyer</em>
</li>
</ul>
TicketjdemeyerMon, 29 Oct 2012 21:37:51 GMTattachment set
https://trac.sagemath.org/ticket/13631
https://trac.sagemath.org/ticket/13631
<ul>
<li><strong>attachment</strong>
set to <em>python-2.7.3.p2.diff</em>
</li>
</ul>
<p>
Diff for the python spkg. For reference / review only.
</p>
TicketjdemeyerMon, 29 Oct 2012 21:56:01 GMTattachment set
https://trac.sagemath.org/ticket/13631
https://trac.sagemath.org/ticket/13631
<ul>
<li><strong>attachment</strong>
set to <em>13631_untar.patch</em>
</li>
</ul>
TicketjdemeyerMon, 29 Oct 2012 21:57:16 GMTstatus, description changed
https://trac.sagemath.org/ticket/13631#comment:9
https://trac.sagemath.org/ticket/13631#comment:9
<ul>
<li><strong>status</strong>
changed from <em>new</em> to <em>needs_review</em>
</li>
<li><strong>description</strong>
modified (<a href="/ticket/13631?action=diff&version=9">diff</a>)
</li>
</ul>
TicketvbraunTue, 30 Oct 2012 10:45:26 GMTstatus changed; reviewer set
https://trac.sagemath.org/ticket/13631#comment:10
https://trac.sagemath.org/ticket/13631#comment:10
<ul>
<li><strong>status</strong>
changed from <em>needs_review</em> to <em>positive_review</em>
</li>
<li><strong>reviewer</strong>
set to <em>Volker Braun</em>
</li>
</ul>
<p>
Looks good to me. Fixes the patchbot on Fedora 17, at least.
</p>
TickeththomasTue, 30 Oct 2012 15:12:00 GMT
https://trac.sagemath.org/ticket/13631#comment:11
https://trac.sagemath.org/ticket/13631#comment:11
<p>
Also fixed for me (Ubuntu 11.10). At any rate, the patchbot is willing to run doctests again.
</p>
<p>
The patchbot is now running the doctests. I will let you know if anything has broken.
</p>
TickeththomasTue, 30 Oct 2012 17:47:34 GMT
https://trac.sagemath.org/ticket/13631#comment:12
https://trac.sagemath.org/ticket/13631#comment:12
<p>
I detected no problems.
</p>
TicketjdemeyerWed, 31 Oct 2012 21:56:05 GMTstatus changed; resolution, merged set
https://trac.sagemath.org/ticket/13631#comment:13
https://trac.sagemath.org/ticket/13631#comment:13
<ul>
<li><strong>status</strong>
changed from <em>positive_review</em> to <em>closed</em>
</li>
<li><strong>resolution</strong>
set to <em>fixed</em>
</li>
<li><strong>merged</strong>
set to <em>sage-5.4.rc3</em>
</li>
</ul>
Ticket