twpayne/chezmoi

Scripts not running when /tmp mounted with noexec flag

srcr opened this issue · 1 comments

srcr commented

Describe the bug

For security reasons it is a best practice to mount /tmp directory with noexec flag (preventing execution from files in /tmp directory)
unfortunately this prevents chezmoi to run my post install scripts./

chezmoi: fork/exec /tmp/1052260503.90-vim-setup.sh: permission denied

To reproduce

Run chezmoi apply or chezmoi update with a repository that has scripts and have /tmp mounted with noexec flag

Expected behavior

Configure an alternate location to execute the script from.

Output of chezmoi doctor

~ ❱ chezmoi doctor
RESULT    CHECK                MESSAGE
warning   version              v2.9.5, built at 2022-01-06T18:59:24Z
ok        os-arch              freebsd/amd64 (FreeBSD 13.0-RELEASE-p5)
ok        go-version           go1.17.6 (gc)
ok        executable           /usr/local/bin/chezmoi
ok        config-file          ~/.config/chezmoi/chezmoi.toml
ok        source-dir           ~/.local/share/chezmoi is a directory
ok        suspicious-entries   no suspicious entries
ok        working-tree         ~/.local/share/chezmoi is a directory
ok        dest-dir             ~ is a directory
ok        shell                found /usr/local/bin/fish
ok        edit-command         found /usr/local/bin/vim
ok        umask                022
ok        git-command          found /usr/local/bin/git, version 2.35.1
ok        merge-command        found /usr/local/bin/vimdiff
info      age-command          age not found in $PATH
ok        gpg-command          found /usr/local/bin/gpg, version 2.3.3
info      pinentry-command     not set
info      1password-command    op not found in $PATH
info      bitwarden-command    bw not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keepassxc-db         not set
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      vault-command        vault not found in $PATH
info      secret-command       not set
twpayne commented

See also #1856.

If a script is a template or encrypted, then chezmoi needs to write the script's contents somewhere so it can be executed, and the temporary directory is the logical place to write such temporary files.

In the short term you can set the $TMPDIR environment variable to point to an alternative temporary directory on a filesystem mounted with the exec option, e.g.

$ mkdir $HOME/tmp
$ TMPDIR=$HOME/tmp chezmoi apply

In the medium term I'll add a tempDir configuration option to chezmoi so you can set this permanently in your config file.