Permission Error on AUR git packages

[stef204]

Hi, for weeks now, I have noticed that aura is unable to update or install git packages from the AUR due to permission errors.

% sudo aura -A --force etmtk-git
aura >>= Determining dependencies...
aura >>= AUR Packages:
etmtk-git
aura >>= Continue? [Y/n] 
aura >>= Building etmtk-git...
aura >>= Building failed. Would you like to see the error? [Y/n] 
/usr/bin/makepkg: line 1205: PKGBUILD: Permission denied
/usr/share/makepkg/util/util.sh: line 108: /var/cache/aura/vcs/etmtk-git/etmtk-git/PKGBUILD: Permission denied
==> ERROR: Failed to source /var/cache/aura/vcs/etmtk-git/etmtk-git/PKGBUILD

aura >>= There was a makepkg failure.
aura >>= Would you like to continue anyway? [Y/n] 
aura >>= Every package failed to build.

And:

% ls -l /var/cache/aura/vcs/etmtk-git/etmtk-git/PKGBUILD
-rw------- 1 root root 2.0K Sep 14 21:22 /var/cache/aura/vcs/etmtk-git/etmtk-git/PKGBUILD

Permissions are set by aura to 600 during build process.

Not sure why it creates this error.

NOTE: this does not occur with non-git packages.

[fosskers]

We've seen this before, and part of the issue seems to be that installation via the official packages sets the permissions right, but the "automatic" way that Aura does itself seems flawed.

[stef204]

So what's the solution? Is there anything I can do to help?
The error is consistent on my side, i.e. all non version-controlled packages install or update properly and the vcs ones run into that error.

[fosskers]

For now, can you try deleting /var/cache/aura/vcs/ and installing the official aura-bin package? That should at least set up the directory correctly, at which point you could continue to build Aura yourself.

[stef204]

Let me do that manually instead, What are the requirements?

[fosskers]

Actually, now that I look, the aura-bin installation process doesn't create that directory! Which means it's only ever created by Aura automatically the first time you try to build a *-git package.

Okay, then let's try it this way: can you delete /var/cache/aura/vcs/ and install a *-git package, then install it a second time while passing --force to aura?

I'll also mention that this sounds related to #615.

[stef204]

Error still--not sure if it's due to the same permission issue but likely is:

% sudo aura -A pacwall-git     
aura >>= Determining dependencies...
aura >>= AUR Packages:
pacwall-git
aura >>= Continue? [Y/n] 
aura >>= Building pacwall-git...
aura >>= Building failed. Would you like to see the error? [Y/n] 
==> ERROR: Failed to create the directory $BUILDDIR (/var/cache/aura/vcs/pacwall-git/pacwall-git).
    Aborting...

aura >>= There was a makepkg failure.
aura >>= Would you like to continue anyway? [Y/n] 
aura >>= Every package failed to build.

 % sudo aura -A --force pacwall-git
aura >>= Determining dependencies...
aura >>= AUR Packages:
pacwall-git
aura >>= Continue? [Y/n] 
aura >>= Building pacwall-git...
aura >>= Building failed. Would you like to see the error? [Y/n] 
==> ERROR: Failed to create the directory $BUILDDIR (/var/cache/aura/vcs/pacwall-git/pacwall-git).
    Aborting...

aura >>= There was a makepkg failure.
aura >>= Would you like to continue anyway? [Y/n] 
aura >>= Every package failed to build.

/var/cache/aura/vcs/pacwall-git has ownership: $USER:root

Is that intentional?

NOTE (just to be thorough):

% saura -A --force pacwall-git --log-level debug
AuraConfig {acLang = Nothing, acEditor = Nothing, acUser = Nothing, acBuildPath = Nothing, acASPath = Nothing, acVCSPath = Nothing, acAnalyse = Nothing}
2020-09-17 12:00:54.477338: [debug] Interpreting CLI options.
@(exec/aura.hs:92:3)
2020-09-17 12:00:54.477563: [debug] Right (AurSync (Right (PkgName {pnName = "pacwall-git"} :| [])) (fromList []))
@(exec/aura.hs:96:5)
2020-09-17 12:00:54.477633: [debug] BuildConfig {makepkgFlagsOf = fromList [], buildPathOf = Nothing, buildUserOf = Just (User {user = "$USER"}), allsourcePathOf = Nothing, vcsPathOf = Nothing, truncationOf = None, buildSwitchesOf = fromList [ForceBuilding]}
@(exec/aura.hs:97:5)
2020-09-17 12:00:54.477694: [debug] CommonConfig {cachePathOf = Left "/var/cache/pacman/pkg/", configPathOf = Left "/etc/pacman.conf", logPathOf = Left "/var/log/pacman.log", commonSwitchesOf = fromList []}
@(exec/aura.hs:98:5)
aura >>= Determining dependencies...
2020-09-17 12:00:55.430849: [debug] resolveDeps: Entered.
@(lib/Aura/Dependencies.hs:54:3)
2020-09-17 12:00:55.449457: [debug] resolveDeps: Successful recursive dep lookup.
@(lib/Aura/Dependencies.hs:58:3)
aura >>= AUR Packages:
pacwall-git
aura >>= Continue? [Y/n] 
2020-09-17 12:01:07.074661: [debug] Building: pacwall-git
@(lib/Aura/Build.hs:73:3)
aura >>= Building pacwall-git...
2020-09-17 12:01:07.074856: [debug] git: Clearing worktree. 
@(lib/Aura/Build.hs:157:3)
2020-09-17 12:01:07.081599: [debug] git: Pulling repo.
@(lib/Aura/Build.hs:159:3)
aura >>= Building failed. Would you like to see the error? [Y/n] 
==> ERROR: Failed to create the directory $BUILDDIR (/var/cache/aura/vcs/pacwall-git/pacwall-git).
    Aborting...

aura >>= There was a makepkg failure.
aura >>= Would you like to continue anyway? [Y/n] 
aura >>= Every package failed to build.

[fosskers]

Thank you for your patience with this.

Can you do an ls -l on /var/cache/aura/vcs/ and paste the results here? I'd like to compare with my machine.

[stef204]

% sudo ls -l /var/cache/aura/vcs/
total 8
drwx------ 3 $USER root 4096 Sep 17 11:49 pacwall-git
drwx------ 3 $USER root 4096 Sep 19 10:30 python2-pynacl-git

[fosskers]

How about the .? On my own I see:

> la
total 20K
drwxr-xr-x 5 root  root 4.0K Jun 10 10:39 ./
drwxr-xr-x 5 root  root 4.0K Jun 16 08:34 ../
drwxr-xr-x 3 colin root 4.0K Jun 10 10:39 aura-git/
drwxr-xr-x 3 colin root 4.0K May 27 10:01 libumem-git/
drwxr-xr-x 3 colin root 4.0K May 26 10:58 readline-athame-git/

[stef204]

% sudo ls -la /var/cache/aura/vcs/
total 16
drwx------ 4 root root 4096 Sep 19 10:30 .
drwxr-xr-x 5 root root 4096 Sep 17 11:49 ..
drwx------ 3 $USER root 4096 Sep 17 11:49 pacwall-git
drwx------ 3 $USER root 4096 Sep 19 10:30 python2-pynacl-git

I have a umask of 077 if it makes a difference.

[fosskers]

Hmm... why are our permissions different...

[fosskers]

In trying to build pacwall-git for myself:

==> Making package: pacwall-git 2.0.r1.g235e1bb-1 (Fri 23 Oct 2020 11:18:38 AM PDT)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Cloning pacwall git repo...
Cloning into bare repository '/var/cache/aura/vcs/pacwall-git/pacwall-git/pacwall'...
...
==> Extracting sources...
  -> Creating working copy of pacwall git repo...
Cloning into 'pacwall'...
done.
Switched to a new branch 'makepkg'
==> Starting pkgver()...
==> WARNING: /var/cache/aura/vcs/pacwall-git/pacwall-git/PKGBUILD is not writeable -- pkgver will not be updated
==> Starting build()...
...

And checking permissions:

> la
Permissions Size User  Date Modified Name
drwxr-xr-x     - colin 10 Jun 10:39  aura-git
drwxr-xr-x     - colin 27 May 10:01  libumem-git
drwxr-xr-x     - colin 23 Oct 11:18  pacwall-git
drwxr-xr-x     - colin 26 May 10:58  readline-athame-git

> pwd
/var/cache/aura/vcs/pacwall-git/pacwall-git
> la
Permissions Size User  Date Modified Name
drwxr-xr-x     - colin 23 Oct 11:18  .git
.rw-r--r--   453 root  23 Oct 11:18  .SRCINFO
drwxr-xr-x     - colin 23 Oct 11:18  pacwall
.rw-r--r--   23k colin 23 Oct 11:18  pacwall-git-2.0.r1.g235e1bb-1-any.pkg.tar.zst
drwxr-xr-x     - colin 23 Oct 11:18  pkg
.rw-r--r--  1.4k root  23 Oct 11:18  PKGBUILD
drwxr-xr-x     - colin 23 Oct 11:18  src

[fosskers]

The smoking gun. Why are .SRCINFO and PKGBUILD owned by root here? I wonder if it has to do with logic related to --hotedit that overwrites source files (and probably as the root user). Note that I didn't use --hotedit here.

[fosskers]

Found the problem:

-- | Assuming that we're already in a VCS-based package's build folder,
-- just pull the latest instead of cloning.
pullRepo :: RIO Env (Either Failure ())
pullRepo = do
  logDebug "git: Clearing worktree. "
  void . runProcess . setStderr closed . setStdout closed $ proc "git" ["reset", "--hard", "HEAD"]
  logDebug "git: Pulling repo."
  ec <- runProcess . setStderr closed . setStdout closed $ proc "git" ["pull"]
  case ec of
    ExitFailure _ -> pure . Left . Failure $ FailMsg buildFail_12
    ExitSuccess   -> pure $ Right ()

The git reset line (which was added to fix another bug) resets the permissions on the files originally cloned, namely the .SRCINFO and PKBUILD.

[fosskers]

@stef204 since you're used to building Aura yourself, would you mind testing out PR #655 before I merge it? It should fix your issue.

[stef204]

I checked out colin/git-permissions:

% git status                        
On branch colin/git-permissions
Your branch is up to date with 'origin/colin/git-permissions'.

nothing to commit, working tree clean

And built it.
Results in failure:

% sudo aura -A --force pacwall-git --log-level debug
AuraConfig {acLang = Nothing, acEditor = Nothing, acUser = Nothing, acBuildPath = Nothing, acASPath = Nothing, acVCSPath = Nothing, acAnalyse = Nothing}
2020-10-24 16:04:19.685906: [debug] Interpreting CLI options.
@(exec/aura.hs:89:3)
2020-10-24 16:04:19.686143: [debug] Right (AurSync (Right (PkgName {pnName = "pacwall-git"} :| [])) (fromList []))
@(exec/aura.hs:93:5)
2020-10-24 16:04:19.686224: [debug] BuildConfig {makepkgFlagsOf = fromList [], buildPathOf = Nothing, buildUserOf = Just (User {user = "$USER"}), allsourcePathOf = Nothing, vcsPathOf = Nothing, truncationOf = None, buildSwitchesOf = fromList [ForceBuilding]}
@(exec/aura.hs:94:5)
2020-10-24 16:04:19.686297: [debug] CommonConfig {cachePathOf = Left "/var/cache/pacman/pkg/", configPathOf = Left "/etc/pacman.conf", logPathOf = Left "/var/log/pacman.log", commonSwitchesOf = fromList []}
@(exec/aura.hs:95:5)
aura >>= Determining dependencies...
2020-10-24 16:04:20.731508: [debug] resolveDeps: Entered.
@(lib/Aura/Dependencies.hs:54:3)
2020-10-24 16:04:20.746574: [debug] resolveDeps: Successful recursive dep lookup.
@(lib/Aura/Dependencies.hs:58:3)
aura >>= AUR Packages:
pacwall-git
aura >>= Continue? [Y/n] 
2020-10-24 16:04:23.631818: [debug] Building: pacwall-git
@(lib/Aura/Build.hs:80:3)
aura >>= Building pacwall-git...
2020-10-24 16:04:23.632062: [debug] git: Clearing worktree. 
@(lib/Aura/Build.hs:170:3)
2020-10-24 16:04:23.709471: [debug] git: Pulling repo.
@(lib/Aura/Build.hs:172:3)
2020-10-24 16:04:25.062782: [debug] Potential hotediting...
@(lib/Aura/Build.hs:117:5)
2020-10-24 16:04:25.062982: [debug] Building package.
@(lib/Aura/Build.hs:126:9)
aura >>= Building failed. Would you like to see the error? [Y/n] 
==> ERROR: Failed to create the directory $BUILDDIR (/var/cache/aura/vcs/pacwall-git/pacwall-git).
    Aborting...

aura >>= There was a makepkg failure.
aura >>= Would you like to continue anyway? [Y/n] 
aura >>= Every package failed to build.

[fosskers]

Ah, you will have to delete your /var/cache/aura/vcs folder first, or run:

sudo chown -R <YOU> .

in that folder.

[stef204]

I deleted the entire vcs dir.

Then tried:

saura -A --force pacwall-git --log-level debug
AuraConfig {acLang = Nothing, acEditor = Nothing, acUser = Nothing, acBuildPath = Nothing, acASPath = Nothing, acVCSPath = Nothing, acAnalyse = Nothing}
2020-10-24 19:20:59.953762: [debug] Interpreting CLI options.
@(exec/aura.hs:89:3)
2020-10-24 19:20:59.954151: [debug] Right (AurSync (Right (PkgName {pnName = "pacwall-git"} :| [])) (fromList []))
@(exec/aura.hs:93:5)
2020-10-24 19:20:59.954294: [debug] BuildConfig {makepkgFlagsOf = fromList [], buildPathOf = Nothing, buildUserOf = Just (User {user = "$USER"}), allsourcePathOf = Nothing, vcsPathOf = Nothing, truncationOf = None, buildSwitchesOf = fromList [ForceBuilding]}
@(exec/aura.hs:94:5)
2020-10-24 19:20:59.954396: [debug] CommonConfig {cachePathOf = Left "/var/cache/pacman/pkg/", configPathOf = Left "/etc/pacman.conf", logPathOf = Left "/var/log/pacman.log", commonSwitchesOf = fromList []}
@(exec/aura.hs:95:5)
aura >>= Determining dependencies...
2020-10-24 19:21:00.930662: [debug] resolveDeps: Entered.
@(lib/Aura/Dependencies.hs:54:3)
2020-10-24 19:21:00.950167: [debug] resolveDeps: Successful recursive dep lookup.
@(lib/Aura/Dependencies.hs:58:3)
aura >>= AUR Packages:
pacwall-git
aura >>= Continue? [Y/n] 
2020-10-24 19:21:02.347384: [debug] Building: pacwall-git
@(lib/Aura/Build.hs:80:3)
aura >>= Building pacwall-git...
2020-10-24 19:21:02.347639: [debug] Currently in: "/var/cache/aura/vcs/pacwall-git"
@(lib/Aura/Build.hs:159:3)
2020-10-24 19:21:03.839003: [debug] git: Initial cloning complete.
@(lib/Aura/Build.hs:161:3)
2020-10-24 19:21:03.842515: [debug] git: Clearing worktree. 
@(lib/Aura/Build.hs:170:3)
2020-10-24 19:21:03.849080: [debug] git: Pulling repo.
@(lib/Aura/Build.hs:172:3)
2020-10-24 19:21:04.430167: [debug] Potential hotediting...
@(lib/Aura/Build.hs:117:5)
2020-10-24 19:21:04.430364: [debug] Building package.
@(lib/Aura/Build.hs:126:9)
aura >>= Building failed. Would you like to see the error? [Y/n] 
==> ERROR: Failed to create the directory $BUILDDIR (/var/cache/aura/vcs/pacwall-git/pacwall-git).
    Aborting...

aura >>= There was a makepkg failure.
aura >>= Would you like to continue anyway? [Y/n] 
aura >>= Every package failed to build.

Fails again.

Incidentally:

% l /var/cache/aura
total 72K
drwxr-xr-x  5 root root 4.0K Oct 24 19:18 .
drwxr-xr-x 19 root root 4.0K Oct 24 14:44 ..
drwxr-xr-x  2 root root  32K Oct 14 11:58 pkgbuilds
drwxr-xr-x  2 root root  20K Oct 24 14:54 states
drwx------  3 root root 4.0K Oct 24 19:18 vcs

It creates vcs with root:root.with 700 octal perms.

NOTE: I have a umask of 077--> that might be a factor?

NOTE 2: if i change ownership manually to $USER:users it works and builds git packages.

However, a user installing aura for the first time would still run into the permissions problem. Again my umask might be a factor, not sure.

[fosskers]

Hmm... I don't have such a umask, so maybe that's the issue. Perhaps I should create the vcs folder with permissive write options.

[stef204]

Hmm... I don't have such a umask, so maybe that's the issue. Perhaps I should create the vcs folder with permissive write options.

If I manually create the vcs dir with 755, then run aura to build a git package, it succeeds.

I do think this is a umask related-issue. If it is, since you cannot control which umask users will have or prefer, creating the vcs dir explicitly with 755 might make sense?

PS This issue has crept up but wasn't present in 2.0, etc. Or early versions of 3, as I recall,
Wonder what changed to cause this.

[ratijas]

Ah, you will have to delete your /var/cache/aura/vcs folder first, or run:

sudo chown -R <YOU> .

in that folder.

Maybe that should become a part of an automatic migration process? Otherwise an upgrade of aura package would suddenly break users' existing setups.

[stef204]

I think that having aura create /var/cache/aura/vcs like this:(or equivalent) mkdir -m755 /var/cache/aura/vcs or just set 755 permissions (if vcs already present), should be enough?
(That should not break anything.)

[stef204]

I closed this by error, reopened now.

As far as umask is concerned, here is what happens on my box (it's set up that way.)

As uid=1000, umask = 077 (I corrected that in one of the posts above.)
This creates dirs with 700 perm and passes that on when using sudo mkdir (i.e. also creates with 700 perm for uid=0.)

If I login as root with its own shell su -, then as uid=0, umask = 0022 perm and dirs are created 755.

If i login to root like this su then umask goes to 0077 which creates dirs with 700 perm for uid=0.

[fosskers]

Alright, I pushed up a new commit. Could you test it after deleting your vcs/ dir once? Once we've proven that that works, I'll move onto the "migration" strategy, because you're right, I can't realistically ask normal users to go in and delete that themselves.

[stef204]

Just tested it and it works.

[fosskers]

Thanks for testing!

I had been using createDirectoryIfMissing, a Haskell function from a library. Now I'm directly doing a shell call of mkdir -p -m755 <dir>.

[stef204]

What about if dir is missing create it with 755 perm (the current fix); if dir is present, chmod 755 vcs?
Wouldn't that take care of this issue? Not sure how elegant this is; but might be enough to resolve situations where dir has been created with prior install of aura but has 700 or some other perm?

[fosskers]

Yes exactly.

[fosskers]

Alright, that should do it!