Unable to use scripts without interpreter if /tmp is mounted as noexec
Closed this issue · 3 comments
Describe the bug
When following the steps at https://www.chezmoi.io/user-guide/use-scripts-to-perform-actions/#install-packages-with-scripts
Running chezmoi apply fails with the following error:
chezmoi: fork/exec /tmp/2541171496.install-packages.sh: permission deniedTo reproduce
- Create a
run_once_script.sh.tmpland put any sh script in it - Run
chezmoi apply
Expected behavior
The templated script should successfully execute.
Output of command with the --verbose flag
I ran this with the --debug flag as well, which gives more detail.
diff --git a/install-packages.sh b/install-packages.sh
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..fe57ccb4ed9d62f0faf282a13c4328081937a508 100755
--- a/install-packages.sh
+++ b/install-packages.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+echo hello
2022-01-26T23:58:49-08:00 ERR Run error="fork/exec /tmp/3858186881.install-packages.sh: permission denied" args=["/tmp/3858186881.install-packages.sh"] dir=/home/gene duration="185µs" path=/tmp/3858186881.install-packages.sh
2022-01-26T23:58:49-08:00 ERR RunScript error="fork/exec /tmp/3858186881.install-packages.sh: permission denied" component=system data="#!/bin/sh\necho hello\n" dir=/home/gene interpreter={} scriptname=install-packages.sh
chezmoi: fork/exec /tmp/3858186881.install-packages.sh: permission deniedOutput of chezmoi doctor
RESULT CHECK MESSAGE
ok version v2.10.1, commit 6ed080bba2bd3f439832c2bd4b14ed2812c8ee9b, built at 2022-01-23T19:18:07Z, built by goreleaser
ok os-arch linux/amd64 (Ubuntu 21.04 (Hirsute Hippo))
ok go-version go1.17.6 (gc)
ok executable ~/bin/chezmoi
ok upgrade-method replace-executable
ok config-file ~/.config/chezmoi/chezmoi.toml
ok source-dir ~/.local/share/chezmoi is a directory
ok suspicious-entries no suspicious entries
ok working-tree ~/.local/share/chezmoi is a directory
ok dest-dir ~ is a directory
ok shell found /usr/bin/fish
ok edit-command found ~/bin/subl
ok umask 022
ok git-command found /usr/bin/git, version 2.30.2
warning merge-command vimdiff not found in $PATH
ok age-command found /usr/local/bin/age, version 1.0.0-rc.1
ok gpg-command found /usr/bin/gpg, version 2.2.20
info pinentry-command not set
info 1password-command op not found in $PATH
info bitwarden-command bw not found in $PATH
info gopass-command gopass not found in $PATH
info keepassxc-command keepassxc-cli not found in $PATH
info keepassxc-db not set
info lastpass-command lpass not found in $PATH
info pass-command pass not found in $PATH
ok vault-command found /usr/bin/vault, version 1.9.2
info secret-command not setAdditional context
I was able to work around this issue by editing my .chezmoi.toml file to include sh as an interpreter:
[interpreters.sh]
command = "sh"I suspect that your system may not allow direct execution of scripts in the /tmp directory.
What's the output of the following commands?
$ mount | grep ^/tmp
$ echo "#\!/bin/sh\necho hello" > /tmp/script
$ chmod 700 /tmp/script
$ /tmp/scriptLooks like your suspicion is correct. /tmp allows files to have the executable attribute but cannot actually be run.
$ mount | grep ^/tmp
$ echo "#\!/bin/sh\necho hello" > /tmp/script
$ chmod 700 /tmp/script
$ /tmp/script
bash: /tmp/script: Permission denied
$ ls -al /tmp/script
-rwx--x--x 1 gene gene 22 Jan 28 01:03 /tmp/scriptgrep ^/tmp didn't seem to work, but here's the /tmp entry:
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,noatime,size=33554432k)Update:
Thanks for the hint.
I realized that I had set my own entry to resize the /tmp partition and made it noexec a while ago.
Here's my fstab entry:
tmpfs /tmp tmpfs defaults,nodev,nosuid,noatime,noexec,size=32G 0 0
After changing it to allow execution, I can confirm that chezmoi apply succeeds.
Awesome, thanks for the investigation.