Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Temporary extract directory permissions are too restrictive #286

Open
haboustak opened this issue Aug 3, 2024 · 4 comments
Open

Temporary extract directory permissions are too restrictive #286

haboustak opened this issue Aug 3, 2024 · 4 comments

Comments

@haboustak
Copy link

I am trying to use [email protected] with a [email protected] --onefile binary on Debian 12.5 and I'm receiving the following error:

$ sudo ./dist/script
Traceback (most recent call last):
  File "PyInstaller/loader/pyimod02_importers.py", line 187, in get_code
  File "PyInstaller/loader/pyimod01_archive.py", line 134, in extract
PermissionError: [Errno 13] Permission denied: '/tmp/staticx-FegNEo/script.onefile'

My script does a few unusual things that trigger this error.

  1. It must be run as root
  2. It switches the current user in order to access specific system resources (e.g. a database or a filesystem or a device)
  3. It lazily imports a Python module from the onefile package, such that the module is imported after the user switch.

The permissions on the temporary directory created by staticx are 700, but they should be 755.

$ ls -ald /tmp/staticx-FegNEo/
drwx------ 2 root root 4096 Aug  3 12:05 /tmp/staticx-FegNEo/

Minimal reproducing script is below.

import os
import sys

def main():
    if os.geteuid() != 0:
        print("ERROR: You must execute this script as root");
        sys.exit(1)

    # The uid/gid 1000 is the first non-system user on Debian 12
    # assumed to exist for this reproducer
    os.setgid(1000)
    os.setuid(1000)

    # lazy import after user switch triggers PermissionError
    import yaml
    print('ok')

if __name__ == '__main__':
    main()

I'm running staticx this way:

image: registry.gitlab.com/haboustak/glartifacts/build-env:1.3

aliases:
  onefile:
    script:
      - pyinstaller --onefile --distpath ./dist -n script.onefile ./script.py
      - staticx ./dist/script.onefile ./dist/script
@haboustak
Copy link
Author

As I tried to fix this, I found that [email protected] --onefile has the same underlying issue.

$ sudo ./dist/script.onefile 
Traceback (most recent call last):
  File "script.py", line 17, in <module>
    main()
  File "script.py", line 12, in main
    import yaml
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
...
PermissionError: [Errno 13] Permission denied: '/tmp/_MEI2AXyUm/base_library.zip'
[310666] Failed to execute script 'script' due to unhandled exception!

$ ls -ald /tmp/_MEIhNeHmN/
drwx------ 3 root root 4096 Aug  3 12:32 /tmp/_MEIhNeHmN/

@haboustak
Copy link
Author

As I tried to fix this, I found that [email protected] --onefile has the same underlying issue.

Upstream issue has been reported to PyInstaller. There's some discussion by the maintainer's on the best ways to fix it properly and safely (including how to avoid naming things too POSIX-ly, in consideration of Windows):

pyinstaller/pyinstaller#8711

@JonathonReinhart
Copy link
Owner

I will probably prefer to go with whatever solution PyInstaller lands on.

@kzmafia
Copy link

kzmafia commented Nov 1, 2024

So colo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@haboustak @JonathonReinhart @kzmafia