search

hashicorp / vagrant

Vagrant is a tool for building and distributing development environments.
https://www.vagrantup.com
Other
26.27k stars 4.43k forks source link

Should unset $TMPDIR environment variable for OS X provisioner #7140

Closed a-melnyk closed 8 years ago

a-melnyk commented 8 years ago

Vagrant version

Vagrant 1.8.1

Host operating system

OS X 10.11.3 (15D21)

Guest operating system

OS X 10.11.2 (15C50)

Vagrantfile

require 'socket'

new_hostname = "osx-vagrant.#{`hostname`.strip}"

Vagrant.configure(2) do |config|
  config.vm.box = 'osx'
  config.vm.box_url = 'file:///Volumes/Installs/system/osx/osx.json'

  config.vm.synced_folder '.', '/vagrant',
                          type: 'nfs',
                          mount_options: ['nolock,vers=3,udp,noatime']

  config.vm.network 'private_network', ip: '192.168.50.4'

  config.vm.provider 'virtualbox' do |vb|
    vb.gui = true
    vb.memory = '2048'
    vb.name = 'osx-dev'
    # Customize motherboard chipset
    vb.customize ['modifyvm', :id, '--chipset', 'ich9']
  end

  config.vm.provision 'shell', inline: <<-SHELL
    env | grep TMPDIR
    echo "homebrew_package 'wget' do
        homebrew_user 'brew_user'
        options '--build-from-source'
    end" > /tmp/pack.rb
    chef-apply /tmp/pack.rb
    SHELL
end

Debug output

https://gist.github.com/gips0n/00feb7057a659b855a72

Expected behavior

env | grep TMPDIR should be empty, and chef would successfully install package

Actual behavior

TMPDIR environment variable is set to directory, which is owned by 'vagrant' user, so 'brew_user' don't have access to it OS X DARWIN_USER_TEMP_DIR (which is set to TMPDIR) is designed to use separate random generated directories for each user, so when we're changing user (or elevating privileges) we should unset it or change to value returned by getconf DARWIN_USER_TEMP_DIR.

Steps to reproduce

  1. Run shell provisioner and check environment variable $TMPDIR (can use provision section described in this issue), if it points to directory inside /var/folders/, which is owned by vagrant - it's a bug
  2. If we'll unset TMPDIR before running chef-client/chef-apply everything will work as expected

    References

sethvargo commented 8 years ago

Hi @gips0n

Thank you for opening an issue, and I am sorry this has caused your problems. A default, out of the box, OSX installation sets that environment variable, so I do not believe it's Vagrant's place to unset that variable. Instead, I would recommend explicitly calling unset TMPDIR in your script or use the privledged flag.

Please also note that you can use the chef-apply provisioner directly: https://www.vagrantup.com/docs/provisioning/chef_apply.html

a-melnyk commented 8 years ago

Hi @sethvargo

A default, out of the box, OSX installation sets that environment variable, so I do not believe it's Vagrant's place to unset that variable.

OS X unsetting this value, when you're executing sudo, su or any another command, which can cause changing of privileges, you can check it using echo $TMPDIR and sudo commands, for example:

mmbp:~ vagrant$ whoami
vagrant
mmbp:~ vagrant$ echo $TMPDIR
/var/folders/f4/xjctx1391rbdftkrjkbzjp7c0000gp/T/
# lets switch to another user using sudo
mmbp:~ vagrant$ sudo -u brew_user -s /bin/bash
bash-3.2$ whoami
brew_user
bash-3.2$ echo $TMPDIR

# using su
mmbp:~ vagrant$ su brew_user
Password:
bash-3.2$ echo $TMPDIR

# and now switch to root
mmbp:~ vagrant$ sudo -s
bash-3.2# whoami
root
bash-3.2# echo $TMPDIR

bash-3.2#

So, vagrant should unset it too

Please also note that you can use the chef-apply provisioner directly: https://www.vagrantup.com/docs/provisioning/chef_apply.html

I tried, but vagrant using same mechanism to elevate privileges for shell and chef-apply provisioner, so result is the same: https://gist.github.com/gips0n/a0f0823d4e6448cede85 Provisioning configuration:

 config.vm.provision "chef_apply" do |chef|
    chef.recipe = <<-RECIPE
        homebrew_package 'wget' do
            homebrew_user 'brew_user'
            options '--build-from-source'
        end
    RECIPE
  end