-
-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot execute protoc on /tmp with noexec #39
Comments
Very strange.. What platform does it show? (it prints this to console) |
Okay, I found the root cause. I saw a permission denied message, but I thought it's misleading, because just before there are logs indicating that the tool tries to run an exe file on linux. Now I can see that the platform doesn't matter the protoc executable will be called exe. So I went back to this permission denied message. It turns out that my /tmp is mounted with noexec which I don't intend to change for security and policy reasons. It also means that anyone else following the Securing Debian Manual might have the same issues. I might create PR next week proposing a solution for this issue if you don't mind. |
Yes, please do. There must be some alternative location to extract to and execute? |
Next will, I will definitely find the time to do it. To give the context: For the moment my workaround is to clone, build and install protoc, then in the pom add this |
I don't know, /tmp is for temp files and creation is via File.createTempFile(). But I'm open for suggestions.. |
For File.createTempFile() you can pass a third parameter which is the directory where the temp file will be created. What I thought about is that in case of a permission denied exception, I check if the platform is linux, check if the mount has the option of noexec and if these conditions apply, I try to recover. I'm still hesitating a bit if this should be part of a normal flow or a recovery action called from a try-catch block. However considering that this issue was no reported so far, it can be treated exceptional. Plus apparently there is easy/cheap way to determine if the mount is mounted as noexec, so it might be preferable to do it only if it's really needed. |
What could be a good alternative directory? We could add it by default and use it on exception, not even necessary to change config |
I already already made some experiments, maybe tomorrow I can commit it. What I used is to get the user.home from system properties and create a tmp folder there which I delete on exit. What do you think? |
Yes that should work. (Although I'm not clear how that's more secure than via /tmp) |
I'm not an expert on Linux security, I don't see it either. But still Securing Debian Manual suggests people to do so... Anyway let's do this way, I'll create the PR today. |
Turns out temp dir location can be changed, system property
Or we add a plugin parameter |
I see 3 options
|
We can add |
I haven't worked with maven plugins, so maybe my preconception is wrong. In the maven plugin don't you use the code from os72/protoc-jar? |
The plugin uses protoc-jar but extracts protoc only once, then executes it multiple times. So we need changes here as well I see what you mean about option (1). Will go with option (2) |
Okay, now I see why we have If we wanted to keep changes minimal we could reuse pretty much what we did. Extracting the few lines at https://github.com/os72/protoc-jar/blob/master/src/main/java/com/github/os72/protocjar/Protoc.java#L62 into a separate method (such as What do you think? |
Yes we need a dummy execution like this one: https://github.com/os72/protoc-jar-maven-plugin/blob/master/src/main/java/com/github/os72/protocjar/maven/ProtocJarMojo.java#L303 Will you be able to build and test a SNAPSHOT? |
Could you try 3.3.0.1-SNAPSHOT? |
Yes, it's working fine! Thank you! |
Released 3.3.0.1 |
Hi,
I'm using Ubuntu 16.04, in my project I include protoc-jar-maven-plugin 3.2.0.1.
The maven build fails, complaining that it cannot execute protoc.exe. It seems that protoc thinks it is on windows.
A workaround is that I add
/usr/local/bin/protoc
in my pom.xml.
Thanks for checking this.
Sandor
The text was updated successfully, but these errors were encountered: