New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure script only runs in users HOME directory #1221
Conversation
Since this script is sourced, however, wouldn't that change the current working directory for the user? |
What are the operations "sourcing nvm.sh" does that require permissions? I'd rather take a look at those, I think. |
Sourcing .bashrc won't change the working directory and neither will switching to a user from another user. This means if I'm in a directory I don't have permissions to, when .bashrc is sourced and in turn sources nvm.sh, it fails. Not sure what nvm.sh is doing that requires permissions in the current working directory as I didn't delve too deep into the script but you can try the following by manually running these commands in the terminal on an Ubuntu box to see for yourself: # switch to root user
sudo su
# change to root's $HOME directory
cd "$HOME"
# create a new user called bob
adduser --disabled-password --gecos "" bob
# check the current working directory
pwd
# at this point, you should be in the /root directory which bob won't have permissions to
# switch to user bob
su bob
# here, you'll have a new shell session as user bob and bob's .bashrc will have been sourced
# note that everything so far is fine with no errors
# check the current directory now you're logged in as bob
pwd
# you should still be in /root as you've not changed directories, however user bob won't have permissions to do anything there
# try a command like `ls` and you'll get permission denied
ls
# install NVM
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.31.7/install.sh | bash
# interstingly, nothing in your install.sh script tries to perform operations in the current directory
# so NVM installs successfully with no permission errors
# exit bob's session
exit
# now log in as bob again - this time nvm.sh is in bob's .bashrc and will be sourced on login
su bob
# note we can still log in as bob without errors despite the fact we're in the /root directory
# if we try and install node now, we'll get permission errors because we're in the /root dir
# so something in the install process tries to operate in the current directory
nvm install 6.5.0
# if we make sure we're in bobs $HOME dir where we do have permissions we can install node successfully
cd "$HOME"
nvm install 6.5.0
# exit bobs session again
exit
# get back to roots home dir
cd "$HOME"
# now when we try to login as bob, we'll get the same error we had when trying to install node
su bob
# so we managed to switch to user bob while in the /root directory without any problems before installing node
# now we've installed it we get errors and it's because something in nvm.sh
# or something that nvm.sh executes
# is attempting to perform an operation in the current directory.
# if we exit bob's session again
exit
# change to a directory bob will have access to e.g.
cd /home/bob
# try logging in as bob
su bob
# there's no error
# we're still sourcing nvm.sh in the .bashrc and still performing ops on the current dir
# but as the current dir is now something bob has access to we don't get an error The only reason the working directory isn't changed in this example is because I'm not doing a full login as bob i.e. |
I'm talking about when sourcing |
|
So yeah, something in nvm.sh or something it executes is trying to perform ops in the current working directory which is an unknown entity therefore can't be safely relied on. |
@antonosmond does the same thing still happen if you |
Also, if you do |
I know it's a pretty obscure edge case but thought I'd share it as me & colleague spent a couple of hours today trying to work out why it wasn't working! lol! To give some context I'm a DevOps engineer and was trying to automate NVM installation on a GOCD agent in AWS. I wanted the install to happen on boot (AWS provide userdata where we can run script to do stuff like this) but that runs as root and I needed to install NVM for the |
Doesn't happen if I do
|
OK, i think the error is happening within When I make a dir that's owned by somebody else and i have $ npm config get prefix
path.js:1144
cwd = process.cwd();
^
Error: EACCES: permission denied, uv_cwd
at Error (native)
at Object.resolve (path.js:1144:25)
at Function.Module._resolveLookupPaths (module.js:376:17)
at Function.Module._resolveFilename (module.js:446:31)
at Function.Module._load (module.js:403:25)
at Module.require (module.js:483:17)
at require (internal/module.js:20:19)
at $HOME/.nvm/versions/node/v6.5.0/lib/node_modules/npm/bin/npm-cli.js:25:13
at Object.<anonymous> ($HOME/.nvm/versions/node/v6.5.0/lib/node_modules/npm/bin/npm-cli.js:75:3)
at Module._compile (module.js:556:32) |
Hmmm makes sense as the error I posted earlier looked like npm may be the issue:
I don't think this would be a problem with a native npm installation though, it's just because of the way we're sourcing in the |
In other words, this PR doesn't fix the problem - running I'd be interested in exploring the callsite where |
Yes and no RE fixing the problem. It's expected behaviour that I can't run operations that rely on the CWD. However, in this case it's crashing on just switching to a user and borking that users env. By adding the cd "$HOME" in nvm.sh, I no longer get an error when switching users and my env doesn't get borked by the crash sourcing the .bashrc. |
Even with the error though - that should just prevent the |
Yes you're right. It'd still be nice not to have something in the .bashrc that can cause an error just by switching to that user. If there's no risks with adding the change to prevent the error I'd like to see it go in but guess it's your call. It could be made safer by storing the CWD at the start, cd'ing to $HOME and doing it's stuff then cd'ing back to the original CWD, just to make sure nothing else sourced or executed in the .bashrc is affected by the cd. Either way I'm not too fussed if you add it or not as it is a pretty obscure edge case. :) |
I'd say a better approach would be to, only inside |
Sounds good to me but I'm not going to look at it right now as not sure where you are but it's 12:35am here and I have to be up for work 2moro! lol! |
@antonosmond are you still interested in implementing the approach here? |
@antonosmond are you no longer interested in this change? |
I had a minor issue with NVM after installing on an Ubuntu Server.
The issue was caused by the fact the
nvm.sh
script tries to perform actions that require permissions in the current working directory (an unknown directory at the time the users.bashrc
is sourced.Say I have a user
bob
with NVM and node installed.If I log on to my Ubuntu instance as user
root
and am in the root home directory/root
then dosu bob
to switch to thebob
user, bob's~/.bashrc
is sourced and NVM sources"$NVM_DIR/nvm.sh"
. In most cases this isn't a problem, but in the example I provided, as I was in the/root
directory when I switched to userbob
, the current directory is maintained which is/root
andbob
doesn't have read/write access there so when the NVM script is sourced it fails with permission errors. In theory, nothing sourced in the.bashrc
should rely on the unkown current working directory and to fix NVM, all that's needed is to ensure the script runs in a location where it has access. As NVM is sourced by a users.bashrc
I think it makes to sense that it runs in the users home directory, hence the change I'm proposing.