permission denied for mpm if TMPDIR has noexec mount flag

Question

permission denied for mpm if TMPDIR has noexec mount flag

Closed this issue 5 months ago · 3 comments

I noticed this while trying to install MATLAB in a more hardened linux environment. Apparently it is a practice in Defense-In-Depth to disallow running executables from /tmp. And this is exactly what mpm does : it extracts itself to /tmp and then runs the extracted executable. Maybe you could provide an (optional) argument to specify where to extract the mpm package to, before running it?

While writing this issue, I actually noticed in the Release Notes, that mpm respects the TMPDIR environment variable since 0.6.0, and that would be a workaround, but it is not actually documented. It is only casually mentioned as a change in the release notes without mentioning what TMPDIR is then actually used for. I would prefer not to change TMPDIR, but to simply specify where to extract the mpm package to for running it. But maybe this is just a personal preference.

I'm not sure what the best enhancement would be for mpm for this issue, maybe detecting the noexec and giving a clearer message what to do? Maybe documenting that TMPDIR is used for extracting and should not be noexec? Maybe adding an optional argument for extracting mpm instead of hiding the extraction and cleaning it up? I would vote for this last item, since that would also allow more interactive use of mpm (querying --help, installing multiple releases, etc.) to work without extracting and removing the extracted package for every invocation of mpm, thereby running much faster.

Here is the output on RHEL7.9 (Maipo) when /tmp is mounted with noexec option:

[versionbayjc@localhost ~]$ wget https://www.mathworks.com/mpm/glnxa64/mpm
--2024-04-04 14:09:08--  https://www.mathworks.com/mpm/glnxa64/mpm
Resolving www.mathworks.com (www.mathworks.com)... 23.0.212.112
Connecting to www.mathworks.com (www.mathworks.com)|23.0.212.112|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://ssd.mathworks.com/supportfiles/downloads/mpm/2024.1.1/glnxa64/mpm [following]
--2024-04-04 14:09:08--  https://ssd.mathworks.com/supportfiles/downloads/mpm/2024.1.1/glnxa64/mpm
Resolving ssd.mathworks.com (ssd.mathworks.com)... 23.42.167.78
Connecting to ssd.mathworks.com (ssd.mathworks.com)|23.42.167.78|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65112927 (62M) [text/plain]
Saving to: ‘mpm’

100%[======================================>] 65,112,927  51.2MB/s   in 1.2s   

2024-04-04 14:09:10 (51.2 MB/s) - ‘mpm’ saved [65112927/65112927]

[versionbayjc@localhost ~]$ chmod +x mpm
[versionbayjc@localhost ~]$ ./mpm install --release R2024a --products MATLAB
./mpm: line 17: /tmp/mathworks_10854/./bin/glnxa64/mpm: Permission denied
ERROR: ld.so: object '/tmp/mathworks_10854/bin/glnxa64/glibc-2.17_shim.so' from LD_PRELOAD cannot be preloaded: ignored.

Answer 1 · 2024-04-04T15:24:54.000Z

@versionbayjc Thanks for this report - great detail and insight! Whilst I understand that you don't want permanently change TMPDIR on the machine could you do the following

 TMPDIR=/somewhere/you/can/write/and/execute ./mpm --release R2024a --products MATLAB

I demonstrated this to myself as follows in an ubuntu container. I made /tmp writable ONLY by root. First show that mpm without any modification fails since /tmp is NOT writable:

jos@facb0b7cdbcf:~$ ./mpm -help
mkdir: cannot create directory '/tmp/mathworks_2782': Permission denied
./mpm: 7: cannot create /tmp/mathworks_2782/thezip.zip: Directory nonexistent
chmod: cannot access '/tmp/mathworks_2782/thezip.zip': No such file or directory
unzip:  cannot find or open /tmp/mathworks_2782/thezip.zip, /tmp/mathworks_2782/thezip.zip.zip or /tmp/mathworks_2782/thezip.zip.ZIP.
./mpm: 17: /tmp/mathworks_2782/./bin/glnxa64/mpm: not found

Now do the same and define TMPDIR for the single mpm command:

jos@facb0b7cdbcf:~$ TMPDIR=/home/jos/tmp ./mpm -help
Usage:
  mpm install --release=<release> --destination=<destination> [--doc] [--products] <product1> <product2>
  mpm install-doc --matlabroot=<matlabroot> [--source]=<source> [--destination]=<destination>
SNIP

Now everything works as expected. This means we don't need to change the mpm command nor do we need to add a new command line flag - we just define that mpm accepts TMPDIR as needed.

Answer 2 · 2024-04-04T15:55:21.000Z

@josmartin indeed, I believe just adding to the documentation of MPM.md should be sufficient to prevent the confusion I was having. Now I at first didn't even think of the option to mount with noexec, so maybe having some kind of FAQ section with the error message and then providing your example invocation, would be good. On the other hand, this GitHub issue is now also "published", so that could also help others. 😇

BTW, I would expect not being able to write to /tmp to be even less common (and more easily diagnosed) than not being able to run an extracted file inside /tmp that is nicely removed after running mpm.

Answer 3 · 2024-07-30T13:48:05.000Z

@versionbayjc , apologies for the delay. The acceptance of TMPDIR has now been documented in the new mpm install page in the MathWorks documentation, under "Resolve Common Installation Issues".