Closed rdinoff closed 4 months ago
Thanks for the report! Summarizing to make sure my understanding is correct:
/tmp
mounted as noexec
pip-audit
in requirements mode (pip-audit -r ...
)pip-audit
failed because it couldn't run a python3
shim from within a venv that was created within /tmp
This is an eventuality we hadn't considered 🙂 -- did you manually configure your fstab
on Ubuntu 22.04? As far as I know, this isn't the default.
(We'll need to think about how/if we want to handle this -- there are myriad ways for users to trip up userspace programs with filesystem options.)
Your understanding is correct. This happened on a Ubuntu VM image that was "improved" for security reasons.
Thanks for confirming! Out of curiosity: where did that VM image come from, if you can say?
(Also: could you check to see if /var/tmp
allows +x
? That may be a better choice for us here.)
I asked around about this, and TIL that noexec
on /tmp
is a somewhat common configuration recommendation, if not necessarily commonly deployed:
(many thanks to @jayofdoom for pointing this out!)
Given that, I think pip-audit
can do a better job of surfacing the state here. My current idea: we'll try and detect if the default tmpdir is noexec
and render an intelligible error, rather than failing well into the audit process.
Longer term, we could probably try a shortlist of temporary directories to find one that allows +x
, and/or improve the documentation to make it clear that the user will have to pass a different tmpdir or reconfigure their tmpdir.
How does that sound @rdinoff?
/var/tmp
does allow +x
(not mounted with noexec
)
Forgot to mention: as a temporary workaround, TMPDIR=/var/tmp pip-audit -r requirememts.txt
should work, since Python's tempfile
module will use that variable to determine the temporary directory prefix to use.
Since the error here isn't from our own code, I think we should just fail gracefully (rather than raise an exception) and hint that the user should set TMPDIR
.
Since the error here isn't from our own code, I think we should just fail gracefully (rather than raise an exception) and hint that the user should set
TMPDIR
.
SGTM! That's what #737 will end up doing, once I write a (mocked) test.
We've included an improved error message for this in 2.7.1. Thank you again for reporting @rdinoff!
fix looks good ....
(venv) rdinoff:~/audit$ pip-audit -r requirements.txt
ERROR:pip_audit._cli:Couldn't execute in a temporary directory under /tmp. This is sometimes caused by a noexec mount flag or other setting. Consider changing this setting or explicitly specifying a different temporary directory via the TMPDIR environment variable.
(venv) rdinoff:~/aydit$ echo $?
1
(venv) rdinoff:~/audit$ TMPDIR=/var/tmp pip-audit -r requirements.txt
No known vulnerabilities found
Bug description
if /tmp/ is mounted with noexec you get the following stack trace.
Expected behavior
need an option to put tmp files in a different location
Platform information
pip-audit
version (pip-audit -V
): 2.7.0python -V
orpython3 -V
): 3.9.8pip
version (pip -V
orpip3 -V
): 24.0