Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dd-trace-rb 1.21.0 LoadError failures when running under a different user #3529

Closed
AlexJF opened this issue Mar 15, 2024 · 2 comments
Closed

dd-trace-rb 1.21.0 LoadError failures when running under a different user #3529

AlexJF opened this issue Mar 15, 2024 · 2 comments
Labels
bug Involves a bug community Was opened by a community member
Milestone
1.21.1

Comments

@AlexJF
Copy link
Contributor

AlexJF commented Mar 15, 2024

Current behaviour

  • When the ddtrace gem is installed under a user (say userA).
  • And the ruby app runs under a different user (say userB).
  • Then LoadError errors are raised either during ddtracerb/ddprofrb execution or during requirement of a file included in the gem (such as require 'ddtrace/auto_instrument').

Expected behaviour

  • ddtrace gem files should be available by default independently of the user that installed them, unless user-specified permissions dictate otherwise.

Steps to reproduce

  • Dockerfile
FROM ruby:3.3
ARG ddtrace_version

WORKDIR /app

RUN echo "source 'https://rubygems.org'\n\ngem 'ddtrace', '$ddtrace_version'" >> gems.rb

RUN bundle install

CMD bundle exec ddtracerb -h
  • Try with 1.20.0 and a made-up user/group id (different from the root user who ran the bundle install in the Dockerfile), you get the expected output of:
❯ docker run -u 502:20 -it $(docker build -q . --build-arg ddtrace_version=1.20.0)
Command '' is not valid for ddtrace.

  Usage: ddtracerb [command] [arguments]
    exec [command]: Executes command with tracing & profiling preloaded.
    help:           Prints this help message.
  • Try with 1.21.0 with the same made-up user/group id:
❯ docker run -u 502:20 -it $(docker build -q . --build-arg ddtrace_version=1.21.0)
bundler: failed to load command: ddtracerb (/usr/local/bundle/bin/ddtracerb)
/usr/local/bundle/bin/ddtracerb:25:in `load': cannot load such file -- /usr/local/bundle/gems/ddtrace-1.21.0/bin/ddtracerb (LoadError)
        from /usr/local/bundle/bin/ddtracerb:25:in `<top (required)>'
        from /usr/local/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `load'
        from /usr/local/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `kernel_load'
        from /usr/local/lib/ruby/3.3.0/bundler/cli/exec.rb:23:in `run'
        from /usr/local/lib/ruby/3.3.0/bundler/cli.rb:451:in `exec'
        from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/command.rb:28:in `run'
        from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
        from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor.rb:527:in `dispatch'
        from /usr/local/lib/ruby/3.3.0/bundler/cli.rb:34:in `dispatch'
        from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/base.rb:584:in `start'
        from /usr/local/lib/ruby/3.3.0/bundler/cli.rb:28:in `start'
        from /usr/local/lib/ruby/gems/3.3.0/gems/bundler-2.5.3/exe/bundle:28:in `block in <top (required)>'
        from /usr/local/lib/ruby/3.3.0/bundler/friendly_errors.rb:117:in `with_friendly_errors'
        from /usr/local/lib/ruby/gems/3.3.0/gems/bundler-2.5.3/exe/bundle:20:in `<top (required)>'
        from /usr/local/bin/bundle:25:in `load'
        from /usr/local/bin/bundle:25:in `<main>'
@AlexJF AlexJF added bug Involves a bug community Was opened by a community member labels Mar 15, 2024
@AlexJF
Copy link
Contributor Author

AlexJF commented Mar 15, 2024
edited
Loading

If you check the file permissions of the contents of 1.20.0 vs 1.21.0 gems you see that 1.21.0 seems to be missing world readable permissions on all files:

alexandre.fonseca ~/Downloads/ddtrace-1.20.0 
❯ ls -lah data/**/** | grep -vE '\.?\.$' | grep -E "(d|-)rw" | cut -d ' ' -f1 | sort | uniq -c
   1565 -rw-r--r--
      2 -rwxr-xr-x
    226 drwxr-xr-x

alexandre.fonseca ~/Downloads/ddtrace-1.21.0  
❯ ls -lah data/**/** | grep -vE '\.?\.$' | grep -E "(d|-)rw" | cut -d ' ' -f1 | sort | uniq -c
   1567 -rw-r-----
      4 -rwxr-x---
    225 drwxr-xr-x

@AlexJF
Copy link
Contributor Author

AlexJF commented Mar 15, 2024
edited
Loading

Manually adding the missing world readable permission works fine as a hotfix:

  • Dockerfile
FROM ruby:3.3
ARG ddtrace_version

WORKDIR /app

RUN echo "source 'https://rubygems.org'\n\ngem 'ddtrace', '$ddtrace_version'" >> gems.rb

RUN bundle install
RUN chmod -R +r $(bundle show ddtrace) # <----- HOTFIX

CMD bundle exec ddtracerb

❯ docker run -u 502:20 -it $(docker build -q . --build-arg ddtrace_version=1.21.0)
WARNING: Use of `ddtracerb` is deprecated, and will be removed in 2.0. Use `ddprofrb` instead.
Command '' is not valid for ddtracerb.

  Usage: ddprofrb [command] [arguments]
    exec [command]: Executes command with profiling preloaded.
    help:           Prints this help message.

@ivoanjo ivoanjo added this to the 1.21.1 milestone Mar 15, 2024
ivoanjo added a commit that referenced this issue Mar 18, 2024
@ivoanjo
[NO-TICKET] Add validation for gem file permissions
2311f0e 
**What does this PR do?**

This PR adds validation so we catch the issue from #3529 before the
incorrect packages are published on rubygems.org.

Specifically, it checks that every file in packaged `.gem` file has
the expected permissions.

**Motivation:**

Avoid #3529 happening again.

**Additional Notes:**

N/A

**How to test the change?**

You can run `bundle exec rake build` to trigger this validation. Try
setting incorrect permissions on one of the files and running, and
you should see the validation failing.
ivoanjo added a commit that referenced this issue Mar 18, 2024
@ivoanjo
[NO-TICKET] Add validation for gem file permissions
44ed539 
**What does this PR do?**

This PR adds validation so we catch the issue from #3529 before the
incorrect packages are published on rubygems.org.

Specifically, it checks that every file in packaged `.gem` file has
the expected permissions.

**Motivation:**

Avoid #3529 happening again.

**Additional Notes:**

N/A

**How to test the change?**

You can run `bundle exec rake build` to trigger this validation. Try
setting incorrect permissions on one of the files and running, and
you should see the validation failing.
ivoanjo added a commit that referenced this issue Mar 18, 2024
@ivoanjo
[NO-TICKET] Add validation for gem file permissions
deff9cf 
**What does this PR do?**

This PR adds validation so we catch the issue from #3529 before the
incorrect packages are published on rubygems.org.

Specifically, it checks that every file in packaged `.gem` file has
the expected permissions.

**Motivation:**

Avoid #3529 happening again.

**Additional Notes:**

N/A

**How to test the change?**

You can run `bundle exec rake build` to trigger this validation. Try
setting incorrect permissions on one of the files and running, and
you should see the validation failing.
@ivoanjo ivoanjo mentioned this issue Mar 18, 2024
Merged
2 tasks
@cnorthwood cnorthwood mentioned this issue Mar 19, 2024
Closed
@colby-swandale colby-swandale mentioned this issue Mar 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Involves a bug community Was opened by a community member
Projects
None yet
Milestone
1.21.1
Development

No branches or pull requests
3 participants
@AlexJF @ivoanjo @TonyCTHsu