search

zdharma-continuum / zinit

🌻 Flexible and fast ZSH plugin manager
MIT License
2.74k stars 122 forks source link

[bug]: compinit security warning when installing completions from `gh-r` as root user #556

Closed yyykt closed 6 months ago

yyykt commented 11 months ago

What happened?

When running zinit as root (e.g., in a container) and installing a completion from gh-r, I encountered a complaint from compinit saying: 'zsh compinit: insecure files, run compaudit for list.' This warning appears because the owner of the completion file is different from the current user (root). The root cause of this issue is the behavior of the tar command used to extract the archive from gh-r.

       --no-same-owner
              Extract files as yourself (default for ordinary users).
       --same-owner
              Try extracting files with the same ownership as exists in the archive (default for superuser).

To fix this, we can pass the --no-same-owner option explicitly to the tar command when extracting the archive.

Steps to reproduce

Here is an example taken from the wiki. As root, install ripgrep as follows:

zi for \
    from'gh-r' \
    sbin'**/rg -> rg' \
  BurntSushi/ripgrep

Relevant output

After running the above installation, the compinit command shows the following message:

zsh compinit: insecure files, run compaudit for list.
Ignore insecure files and continue [y] or abort compinit [n]?

Here's the output of compaudit:

There are insecure files:
/root/.local/share/zinit/completions/_rg

Here we can observe that the owner/group of the file is different from the current user (root):

> ls -l /root/.local/share/zinit/completions/_rg
lrwxrwxrwx 1 root root 107 Aug  5 13:54 /root/.local/share/zinit/completions/_rg -> /root/.local/share/zinit/plugins/BurntSushi---ripgrep/ripgrep-13.0.0-x86_64-unknown-linux-musl/complete/_rg

> ls -l /root/.local/share/zinit/plugins/BurntSushi---ripgrep/ripgrep-13.0.0-x86_64-unknown-linux-musl/complete/_rg
-rw-r--r-- 1 1001 116 29096 Jun 12  2021 /root/.local/share/zinit/plugins/BurntSushi---ripgrep/ripgrep-13.0.0-x86_64-unknown-linux-musl/complete/_rg


### Screenshots and recordings

_No response_

### Operating System & Version

OS: linux-gnu | Vendor: pc | Machine: x86_64 | CPU: x86_64 | Processor: unknown | Hardware: x86_64

### Zsh version

zsh 5.9 (x86_64-pc-linux-gnu)

### Terminal emulator

xterm

### If using WSL on Windows, which version of WSL

None

### Additional context

I encountered the issue when running on container.

### Code of Conduct

- [X] I agree to follow this project's Code of Conduct
github-actions[bot] commented 5 months ago

:tada: This issue has been resolved in version 3.13.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: