Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scripts not running when /tmp mounted with noexec flag #1929

Closed
srcr opened this issue Feb 28, 2022 · 1 comment · Fixed by #1931
Closed

Scripts not running when /tmp mounted with noexec flag #1929

srcr opened this issue Feb 28, 2022 · 1 comment · Fixed by #1931

Comments

@srcr
Copy link

srcr commented Feb 28, 2022

Describe the bug

For security reasons it is a best practice to mount /tmp directory with noexec flag (preventing execution from files in /tmp directory)
unfortunately this prevents chezmoi to run my post install scripts./

chezmoi: fork/exec /tmp/1052260503.90-vim-setup.sh: permission denied

To reproduce

Run chezmoi apply or chezmoi update with a repository that has scripts and have /tmp mounted with noexec flag

Expected behavior

Configure an alternate location to execute the script from.

Output of chezmoi doctor

~ ❱ chezmoi doctor
RESULT    CHECK                MESSAGE
warning   version              v2.9.5, built at 2022-01-06T18:59:24Z
ok        os-arch              freebsd/amd64 (FreeBSD 13.0-RELEASE-p5)
ok        go-version           go1.17.6 (gc)
ok        executable           /usr/local/bin/chezmoi
ok        config-file          ~/.config/chezmoi/chezmoi.toml
ok        source-dir           ~/.local/share/chezmoi is a directory
ok        suspicious-entries   no suspicious entries
ok        working-tree         ~/.local/share/chezmoi is a directory
ok        dest-dir             ~ is a directory
ok        shell                found /usr/local/bin/fish
ok        edit-command         found /usr/local/bin/vim
ok        umask                022
ok        git-command          found /usr/local/bin/git, version 2.35.1
ok        merge-command        found /usr/local/bin/vimdiff
info      age-command          age not found in $PATH
ok        gpg-command          found /usr/local/bin/gpg, version 2.3.3
info      pinentry-command     not set
info      1password-command    op not found in $PATH
info      bitwarden-command    bw not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keepassxc-db         not set
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      vault-command        vault not found in $PATH
info      secret-command       not set
@twpayne
Copy link
Owner

twpayne commented Feb 28, 2022

See also #1856.

If a script is a template or encrypted, then chezmoi needs to write the script's contents somewhere so it can be executed, and the temporary directory is the logical place to write such temporary files.

In the short term you can set the $TMPDIR environment variable to point to an alternative temporary directory on a filesystem mounted with the exec option, e.g.

$ mkdir $HOME/tmp
$ TMPDIR=$HOME/tmp chezmoi apply

In the medium term I'll add a tempDir configuration option to chezmoi so you can set this permanently in your config file.

@twpayne twpayne mentioned this issue Mar 1, 2022
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add scriptTempDir config var for temporary scripts twpayne/chezmoi
2 participants
@twpayne @srcr