Sage refuses to run despite safe directory

[vbraun]

Something is wrong with the patch at #13579. This breaks the patchbot on Fedora:

(sage-sh) patchbot@volker-desktop:sage$ python -Werror -c ''
RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
(sage-sh) patchbot@volker-desktop:sage$ ls -ald .
drwxrwxr-x. 7 patchbot patchbot 4096 Oct 20 11:24 .
(sage-sh) patchbot@volker-desktop:sage$ umask
0002
(sage-sh) patchbot@volker-desktop:sage$ groups
patchbot
(sage-sh) patchbot@volker-desktop:sage$ id
uid=1001(patchbot) gid=1001(patchbot) groups=1001(patchbot) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Updated spkg: http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p2.spkg (diff: attachment: python-2.7.3.p2.diff)

Apply attachment: 13631_untar.patch to the Sage root repository.

CC: @jdemeyer

Component: doctest coverage

Author: Jeroen Demeyer

Reviewer: Volker Braun

Merged: sage-5.4.rc3

Issue created by migration from https://trac.sagemath.org/ticket/13631

[hughrthomas]

comment:1

I get the following warning when I install the patchbot (sage -i patchbot). This is on ubuntu 11.10.

>>> Checking online list of optional packages.
sys:1: RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
[.]
>>> Found patchbot-1.1.
>>> Downloading patchbot-1.1.spkg.
sys:1: RuntimeWarning: not adding directory '' to sys.path since it's writable by an untrusted group.
Untrusted users could put files in this directory which might then be imported by your Python code. As a general precaution from similar exploits, you should not execute Python code from this directory
[......]
patchbot-1.1

However, the install appears to go okay.

When I try to run the patchbot, though, it complains (after the building process goes fine, apparently):

========== end plugins.docbuild ==========
$SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
Global iterations: 1
File iterations: 1
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/sage-ptest", line 80, in <module>
    .format(os.getcwd()))
RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-0' since untrusted users could put files in this directory, making it unsafe to run Sage code from
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/patchbot.py", line 416, in test_a_ticket
    do_or_die("$SAGE_ROOT/sage %s %s" % (test_cmd, ' '.join(test_dirs)))
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/util.py", line 62, in do_or_die
    raise Exception, "%s %s" % (res, cmd)
Exception: 256 $SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
2012-10-20 23:08:09 -0700
1439 seconds
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/patchbot.py", line 416, in test_a_ticket
    do_or_die("$SAGE_ROOT/sage %s %s" % (test_cmd, ' '.join(test_dirs)))
  File "/home/hugh/sage-5.4.rc2/local/bin/patchbot/util.py", line 62, in do_or_die
    raise Exception, "%s %s" % (res, cmd)
Exception: 256 $SAGE_ROOT/sage -tp 3 -sagenb $SAGE_ROOT/devel/sage-0/doc/common $SAGE_ROOT/devel/sage-0/doc/en $SAGE_ROOT/devel/sage-0/doc/fr $SAGE_ROOT/devel/sage-0/sage
Reporting 0 TestsFailed
0 TestsFailed
ok
Done reporting 0



Failing tests in your install: TestsFailed. Continue anyways? [y/N] 

[jdemeyer]

comment:2

Hugh, could you provide the same information as Volker (umask, group ids, permissions of the relevant directory).

Also, Volker and Hugh: which version of Sage are you talking about? In particular, is #13459 applied?

[jdemeyer]

comment:3

Looks like we should check the umask for python -c

[hughrthomas]

comment:5

I was running 5.4.rc2.

I'm not sure which directory is relevant. The directory which it refused to run doctests in was one that had just been created by the patchbot, /home/hugh/sage-5.4.rc2/devel/sage-0. In that directory, I get the following:

hugh@hugh-laptop:~/sage-5.4.rc2/devel$ cd sage-0/
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ ls -ald .
drwxrwxr-x 7 hugh hugh 4096 2012-10-20 22:45 .
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ umask
0002
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ groups
hugh adm dialout cdrom plugdev lpadmin admin sambashare
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-0$ id
uid=1000(hugh) gid=1000(hugh) groups=1000(hugh),4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),119(admin),122(sambashare)

I don't know what the output from these commands means, so please let me know if you need more or different information.

[hughrthomas]

comment:6

I can get the same error without the patchbot.

hugh@hugh-laptop:~$ cd sage-5.4.rc2/devel/sage-main/
hugh@hugh-laptop:~/sage-5.4.rc2/devel/sage-main$ ../../sage -t sage/combinat/tableau.py 
Traceback (most recent call last):
  File "/home/hugh/sage-5.4.rc2/local/bin/sage-test", line 53, in <module>
    .format(os.getcwd()))
RuntimeError: refusing to run doctests from the current directory '/home/hugh/sage-5.4.rc2/devel/sage-main' since untrusted users could put files in this directory, making it unsafe to run Sage code from

I get the same output from the above commands (ls, etc.) in sage-main as in sage-0.

It works fine if I run sage -t from ~/sage-5.4.rc2. There, I get:

hugh@hugh-laptop:~/sage-5.4.rc2$ ls -ald .
drwxr-xr-x 9 hugh hugh 4096 2012-10-20 22:44 .

I get same error as above if I run sage -t from ~/sage-5.4.rc2/devel, where the output from ls -ald ., etc., looks very similar. to sage-5.4.rc2/devel/sage-main.

[vbraun]

comment:7

I'm talking about Sage-5.4.rc2 (which is the first one with your Python patch). The problem is the

if ((arg_stat.st_mode & 0022) == 0 && (program_stat.st_mode & 0022) == 0)

check, thats too restrictive. If you have your own group then its perfectly save to for the directory to be group-writable, and indeed Fedora sets you up with umask 0002 in that case.

[jdemeyer]

Author: Jeroen Demeyer

[jdemeyer]

Attachment: python-2.7.3.p2.diff.gz

Diff for the python spkg. For reference / review only.

[jdemeyer]

Attachment: 13631_untar.patch.gz

[vbraun]

comment:10

Looks good to me. Fixes the patchbot on Fedora 17, at least.

[vbraun]

Reviewer: Volker Braun

[hughrthomas]

comment:11

Also fixed for me (Ubuntu 11.10). At any rate, the patchbot is willing to run doctests again.

The patchbot is now running the doctests. I will let you know if anything has broken.

[hughrthomas]

comment:12

I detected no problems.

[jdemeyer]

Merged: sage-5.4.rc3