-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot cd into directory when permissions are granted via ACLs instead of traditional unix permissions #9046
Comments
Thanks for including potential strategies to resolve that! Would you mind adding your current platform and the build info from the bug report template for future reference:
|
Yep, here it is:
|
I ran into this on NixOS. Version:
(er... the 1980 thing is because the nix build system resets the apparent system time for all build processes to ensure reproduciblity) Anyways, this makes Nushell practically unusable on ACL-heavy systems. :( I would be willing to write a patch if this will take a long time for others to get to, but I need to know what solution y'all would deem acceptable. Would trying to read the directory, catching the failure, and then printing the error be acceptable? |
due to this bug i have also found out that udisks2 or udiskie ( idk which one is the actual backend and handles mounting ) also uses acl based access to /run/media/* so you cannot cd into ur drives folder u can still cd to drive folder but that is annoying
|
This is certainly limiting Nushell on more complex systems. We plan on moving the core of our file-system related commands over to rely on the implementation from https://github.com/uutils/coreutils #11549. While |
The fix seems pretty simple. It's easier to ask forgiveness than permission. Actually try to |
The unix implementation of cd fails with a permission error when classical unix permissions deny access to a directory, but additional mechanisms like ACLs actually grant the user access Fix this by miroring the windows implementation: if we can read_dir() without error => allow the cd to proceed. Addtionally we also handle the case where it is the other way round: unix permissions grant access but additional security modules (SElinux, apparmor, etc.) deny the current user/context.
The unix implementation of cd fails with a permission error when classical unix permissions deny access to a directory, but additional mechanisms like ACLs actually grant the user access Fix this by miroring the windows implementation: if we can read_dir() without error => allow the cd to proceed. Addtionally we also handle the case where it is the other way round: unix permissions grant access but additional security modules (SElinux, apparmor, etc.) deny the current user/context.
As there seems some interest in this by other people I just gave fixing this a go, maybe it'll help someone, even if it gets replaced by something more elaborate in the future |
I have a couple of directories that are owned by other users, but where I have permissions via ACLs
Something like this:
cd /tmp/foo
results inCannot change directory to /tmp/foo: You are neither the owner, in the group, nor the super user and do not have permission
however
exec sh -c 'cd /tmp/foo; exec nu'
works fine and running ls in the resulting shell works just as wellI had a brief look at the code and it seems that on windows have_permission() tries to actually read_dir() the directory that we want to cd into, but only linux it tries to guess whether we have access from the metadata by looking at owner, group and the respective permission bits.
This can lead to false negatives (as in my case), and maybe false positives as well when things like selinux come into play (I haven't had much contact with that, but I vaguely recall something like that is possible)
As the current error messages are more helpful to inexperienced users, I think my preferred approach to improve this would be:
But I'd also be fine with something like
cd --force
or anything else that just lets me get on with it ;)The text was updated successfully, but these errors were encountered: