search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.18k stars 14.19k forks source link

re2c failing to compile citing "suspicious ownership or permission" #82357

Open rb2k opened 4 years ago

rb2k commented 4 years ago

Just ran into this and didn't see a duplicate. Thought I'd report it. Note: This is on macOS and the builder runs as 'root' (I know...) .

Describe the bug Trying to build re2c ends in a failure citing "suspicious ownership or permission"

To Reproduce Steps to reproduce the behavior:

nix-env -i re2c --option substitute false

Expected behavior A clear and concise description of what you expected to happen.

Screenshots

building '/nix/store/b3jl9j766yxagzfkzlqgh5g76zm986nn-source.drv'...

trying https://github.com/skvadrik/re2c/archive/1.2.1.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   120  100   120    0     0    120      0  0:00:01 --:--:--  0:00:01   281
100 5196k  100 5196k    0     0  5196k      0  0:00:01  0:00:01 --:--:-- 42.6M
unpacking source archive /private/tmp/nix-build-source.drv-0/1.2.1.tar.gz
suspicious ownership or permission on '/nix/store/30b0m0kz1kqffsb6qh9y3835q764nzzv-source'; rejecting this build output

Metadata

aanderse commented 4 years ago

ping @etu @Ma27 purely as a FYI because impact this could have on php ecosystem on darwin.

rb2k commented 4 years ago

I'm still trying things out, but there might be some odd chance that this only happens if the user running the build is "root"

LnL7 commented 4 years ago

What's the output of this?

nix show-config | grep build-users-group
rb2k commented 4 years ago

It's a single user install, set up via

echo "build-users-group =" > /etc/nix/nix.conf

so:

# nix show-config | grep build-users-group
build-users-group = 
#

Otherwise it errors out via error: "the group 'nixbld' specified in 'build-users-group' does not exist"

Oddly, everything else works

LnL7 commented 4 years ago

@grahamc @edolstra I really think this should be fixed.

flokli commented 4 years ago

I don't have the hardware around to test this, but this comes from https://github.com/NixOS/nix/blob/master/src/libstore/build.cc#L3612..L3618 - how does the tree at /nix/store/30b0m0kz1kqffsb6qh9y3835q764nzzv-source look like, and how does that align with the conditions checked there?

veprbl commented 4 years ago

nix-env -i re2c --option substitute false

For the record, I can't reproduce this with a single-user Nix 2.3.1 on macOS.

rb2k commented 4 years ago

I don't have the hardware around to test this, but this comes from https://github.com/NixOS/nix/blob/master/src/libstore/build.cc#L3612..L3618 - how does the tree at /nix/store/30b0m0kz1kqffsb6qh9y3835q764nzzv-source look like, and how does that align with the conditions checked there?

Sorry for the delayed answer, busy day.

[root@machine ~]# ls -lash /nix/store/30b0m0kz1kqffsb6qh9y3835q764nzzv-source
total 360
 0 dr-xr-xr-x    43 root  wheel   1.3K Dec 31  1969 .
 0 drwxrwxr-t  5089 root  wheel   159K Mar 12 16:21 ..
 8 -r--r--r--     1 root  wheel   146B Dec 31  1969 .gitignore
 8 -r--r--r--     1 root  wheel   533B Dec 31  1969 .travis.yml
80 -r--r--r--     1 root  wheel    37K Dec 31  1969 CHANGELOG
 8 -r--r--r--     1 root  wheel   713B Dec 31  1969 LICENSE
24 -r--r--r--     1 root  wheel   9.5K Dec 31  1969 Makefile.am
16 -r--r--r--     1 root  wheel   4.4K Dec 31  1969 Makefile.lib.am
 8 -r--r--r--     1 root  wheel   141B Dec 31  1969 NO_WARRANTY
 8 -r--r--r--     1 root  wheel   2.0K Dec 31  1969 README.md
 8 -r-xr-xr-x     1 root  wheel   711B Dec 31  1969 __alltest.sh
 8 -r-xr-xr-x     1 root  wheel   160B Dec 31  1969 __build.sh
 8 -r-xr-xr-x     1 root  wheel   236B Dec 31  1969 __build_asan.sh
 8 -r-xr-xr-x     1 root  wheel   310B Dec 31  1969 __build_check_headers.sh
 8 -r-xr-xr-x     1 root  wheel   199B Dec 31  1969 __build_clang.sh
 8 -r-xr-xr-x     1 root  wheel   408B Dec 31  1969 __build_clang_msan.sh
 8 -r-xr-xr-x     1 root  wheel   234B Dec 31  1969 __build_glibcxx_debug.sh
 8 -r-xr-xr-x     1 root  wheel   285B Dec 31  1969 __build_iwyu.sh
 8 -r-xr-xr-x     1 root  wheel   230B Dec 31  1969 __build_lsan.sh
 8 -r-xr-xr-x     1 root  wheel   207B Dec 31  1969 __build_m32.sh
 8 -r-xr-xr-x     1 root  wheel   445B Dec 31  1969 __build_mingw.sh
 8 -r-xr-xr-x     1 root  wheel   651B Dec 31  1969 __build_mingw_slibtool.sh
 8 -r-xr-xr-x     1 root  wheel   147B Dec 31  1969 __build_nodebug.sh
 8 -r-xr-xr-x     1 root  wheel   287B Dec 31  1969 __build_redundant_exports.sh
 8 -r-xr-xr-x     1 root  wheel   241B Dec 31  1969 __build_ubsan.sh
 8 -r-xr-xr-x     1 root  wheel   573B Dec 31  1969 __distcheck.sh
 8 -r--r--r--     1 root  wheel   345B Dec 31  1969 add-release.txt
 8 -r-xr-xr-x     1 root  wheel    46B Dec 31  1969 autogen.sh
 0 dr-xr-xr-x     7 root  wheel   224B Dec 31  1969 benchmarks
 0 dr-xr-xr-x     5 root  wheel   160B Dec 31  1969 bootstrap
16 -r--r--r--     1 root  wheel   4.5K Dec 31  1969 configure.ac
 0 dr-xr-xr-x     7 root  wheel   224B Dec 31  1969 doc
 0 dr-xr-xr-x    36 root  wheel   1.1K Dec 31  1969 examples
 0 dr-xr-xr-x     5 root  wheel   160B Dec 31  1969 fuzz
 8 -r-xr-xr-x     1 root  wheel   299B Dec 31  1969 genhelp.sh
 0 dr-xr-xr-x     3 root  wheel    96B Dec 31  1969 include
 0 dr-xr-xr-x    22 root  wheel   704B Dec 31  1969 lib
 0 dr-xr-xr-x    12 root  wheel   384B Dec 31  1969 libre2c_old
 8 -r-xr-xr-x     1 root  wheel   1.0K Dec 31  1969 release.sh
16 -r--r--r--     1 root  wheel   7.1K Dec 31  1969 run_tests.sh.in
 8 -r--r--r--     1 root  wheel   156B Dec 31  1969 sf-cheatsheet
 0 dr-xr-xr-x    19 root  wheel   608B Dec 31  1969 src
 0 dr-xr-xr-x   481 root  wheel    15K Dec 31  1969 test

I couldn't reproduce it on my laptop (non-root user), just on a build machine I tested (user = 'root'). Not sure if I should close this or if there's some underlying issue with running as root and building from source (which is discouraged I guess)

stale[bot] commented 4 years ago

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

dzmitry-lahoda commented 2 years ago

I get this. Issue is next.

  1. Take Microsoft github devcontainer as root
  2. Build layered image of it
  3. Derive new dockerfile and install nix into it.
  4. You cannot install neither root nor multi.
  5. Install under new user. It will tell to chown nix under him. Do it.
  6. It will fail error same message.
  7. chmod /nix with 
    # not switch to user
RUN chown --recursive vscode:vscode /nix
# without this line, if our docker has prebuild nix stuff, nix fails to install
RUN chmod -R a+rwx /nix
  8. Docker built.
  9. nix build inside docker,
  10. get subject error message.

So it is very clear for me that chmod and chown checks are incosystent. Neither it is is know what security level is expected.

UPDATE: tried variations of this https://chmodcommand.com/chmod-755/ - no way