From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS51083 80.67.180.0/24 X-Spam-Status: No, score=-3.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from mermet.sourcephile.fr (revolt129.abo.ilico.org [80.67.180.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id EF8701F45A for ; Mon, 24 Oct 2022 21:58:27 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (4096-bit key; secure) header.d=sourcephile.fr header.i=@sourcephile.fr header.b="zR8Fr/0N"; dkim-atps=neutral Date: Mon, 24 Oct 2022 23:58:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourcephile.fr; s=20200101; t=1666648702; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=Up7ysio65RBKXBVfHT3vTfLGBY6q+XW8f5YZXH5Y7mk=; b=zR8Fr/0NJhNg9zmOnzXyai1XRkZhE9jPpF5jEmFTU9sDS1A8UNWvAodGWJIagiTQz6hX+P Rk9VQwg8mVUa3R71i+86kyVehFl9I26+ejgZAY3OIQot7vMU4TZ9Hk4YqqOlYtJ6pLvQQl DEwoH687VAatpnhS8X0pJAo3BbfTYG/8DFC86LlDsgTo/sgEi2T4eSiyDnDO/1t2vm8K7B ro2nSIZbq5yLa0uMfTuVZMEi+y0HSOAv2ZLx/bjcDjylCD/QrveXug0vIi7UlhUcia4atA Psx+iVirCdcHIRkz2IWaDAIG/OeyuZNJ906xvQ+wLEqK3PSaFr9+5OWPN3t5ukxZra09i6 Qt0sjn1/ECmCEttIFXQQS0Bugv9vXxISqQITlqNu1I7TKO3mnq3+2xoXnCZzSK0N2a6ge/ JufZuZA4ukX2OaokO/io0DsoE+aMXwci8W98jF5ZhF89inNZn5J1nqfw4ptBnXt2G4Fske kj3xDKir1pFynTVDbfgQq3X6jSrusKMxd3hYBBqYXlOySeVSGAgVGCcmTYzHyhL70Z0NnI BsfDvD06FVM7k2f6qzOrYoXoFDkRiKYCzZPgQ+zu/r6czHp0ZDy6/GICFyy1th3tUv0wxq 68HkF13B6zXvGQe6VVxSSttS/XmA/JawEObb6P19fI6vLCIlYv09w= From: Julien Moutinho To: meta@public-inbox.org Subject: Test failures due to core.sharedRepository and Message-ID: <20221024215822.azmu2egkibe73rc3@sourcephile.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline List-Id: sandboxing Reply-To: Hi! While updating from 1.8.0 to 1.9.0, I've stumbled upon that failure in t/lei-q-kw.t (but other tests fail for the same reason): > ok 52 - lei import -F eml t/x-unknown-alpine.eml > not ok 53 - no errors importing previous external-only message > # Failed test 'no errors importing previous external-only message' > # at t/lei-q-kw.t line 181. > # got: 'error: unable to create temporary file: Operation not permitted > # fatal: failed to write object > # ' > # expected: '' strace -f prove -bvw t/lei-q-kw.t revealed this EPERM: > chmod("/build/tmp/pi-lei-q-kw-1976-HlW5/lei-daemon/.local/share/lei/store/local/0.git/objects/pack", 02700) = -1 EPERM (Operation not permitted) Turns out this is another consequence of running inside nix's sandbox: > ; Disallow creating setuid/setgid binaries, since that > ; would allow breaking build user isolation. > (deny file-write-setugid) https://github.com/NixOS/nix/blob/b3d2a05c59266688aa904d5fb326394cbb7e9e90/src/libstore/sandbox-defaults.sb#L5-L7 https://github.com/NixOS/nix/blob/b3d2a05c59266688aa904d5fb326394cbb7e9e90/src/libstore/build/local-derivation-goal.cc#L1555-L1568 That SGID bit in 2700 is due to git's FORCE_DIR_SET_GID: > if (S_ISDIR(old_mode)) { > /* Copy read bits to execute bits */ > new_mode |= (new_mode & 0444) >> 2; > new_mode |= FORCE_DIR_SET_GID; > } https://github.com/git/git/blob/1fc3c0ad407008c2f71dd9ae1241d8b75f8ef886/path.c#L901-L905 which is enabled when public-inbox sets core.sharedRepository: > $self->git->qx(qw(config core.sharedRepository 0600)); https://public-inbox.org/public-inbox.git/tree/lib/PublicInbox/ExtSearchIdx.pm?id=0881010d123914be5e47544229e2b03412a6a691#n1231 Eric, do you think something can be done to accomodate nix's sandbox? otherwise I can disable those failing tests. Cheers,