You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like Atuin gained a blanket security policy in #1554 which is a fine position to take from a security standpoint, but leads to surprising behavior when running a script via atuin scripts run <script>.
For example let's use the following script locally, and from within atuin to compare the results:
#!/usr/bin/env bashfatal() {
echo"$@"exit 1
}
tempdir=$(mktemp -d)
[[ -n$tempdir ]] || fatal 'failed to create tmp directory'pushd"$tempdir"|| fatal "failed to cd into $tempdir"
cat <<EOF > foo.sh#!/usr/bin/env bashecho hello!EOF
ls -l
pfexec chown root:root foo.sh || fatal 'failed to own foo.sh by root'
pfexec chmod +x foo.sh || fatal 'failed to chmod foo.sh'
ls -l
./foo.sh || fatal 'failed to run foo.sh'popd|| fatal 'failed to popd'
rm -rf "$tempdir"|| fatal 'failed to remove $tempdir'
Local execution from current shell:
❯ ./atuin-bug.sh
/faketmpfs/tmp.ucaqer ~/bin
total 1
-rw-r--r-- 1 link staff 32 Apr 29 18:39 foo.sh
total 1
-rwxr-xr-x 1 root root 32 Apr 29 18:39 foo.sh
hello!
~/bin
atuin scripts execution:
❯ atuin scripts run atuin-bug
/faketmpfs/tmp.U8aOjr ~/bin
total 1
-rw------- 1 link staff 32 Apr 29 18:40 foo.sh
total 1
-rwx------ 1 root root 32 Apr 29 18:40 foo.sh
/faketmpfs/.tmpTxwhih: line 22: ./foo.sh: Permission denied
failed to run foo.sh
Script exited with code 1
Because the umask is 077 and my shells current umask is 022 chmod is refusing to apply the +x permissions.
From the man page:
+
Add permissions.
If permissions are omitted, nothing is added.
If who is omitted, add the file mode bits
represented by permissions, except for the those
with corresponding bits in the file mode creation
mask.
If who is present, add the file mode bits
represented by the permissions.
There are a few paths forward that come to mind:
Document this behavior and let users deal with setting a umask in their script
Save the returned umask mode and pipe it through to the script execution env and apply it with Command::pre_exec before execution.
Drop the blanket security policy and add helper methods for file creation that explicitly set the permissions (potential for future PRs to bypass and use the wrong permissions)
The text was updated successfully, but these errors were encountered:
It looks like Atuin gained a blanket security policy in #1554 which is a fine position to take from a security standpoint, but leads to surprising behavior when running a script via
atuin scripts run <script>.For example let's use the following script locally, and from within atuin to compare the results:
Local execution from current shell:
atuin scripts execution:
Because the umask is 077 and my shells current umask is 022 chmod is refusing to apply the
+xpermissions.From the man page:
There are a few paths forward that come to mind:
Command::pre_execbefore execution.The text was updated successfully, but these errors were encountered: