cmake-git-version-tracking icon indicating copy to clipboard operation
cmake-git-version-tracking copied to clipboard

Published 20 hours ago verified publisher icon andrew-hardin

sudo make install doesn't work with this script

Open shabiel opened this issue 2 years ago • 3 comments

We use your code in a downstream project at https://gitlab.com/YottaDB/DBMS/YDBOcto. It has served us well.

We had some problems, so I am looking at the upstream version in order to see if they are resolved there.

There is a problem with sudo make install.

I made a simple example for you: Add this line to the CMakeLists.txt in the better-example folder.

install(TARGETS demo DESTINATION /usr/local/bin)

Run cmake .. && make && sudo make install, and you will see this:

CMake Error at /home/sam/work/gitlab/cmake-git-version-tracking/git_watcher.cmake:139 (message):
  fatal: unsafe repository
  ('/home/sam/work/gitlab/cmake-git-version-tracking' is owned by someone
  else)

  To add an exception for this directory, call:

  

        git config --global --add safe.directory
  /home/sam/work/gitlab/cmake-git-version-tracking

   (/usr/bin/git status --porcelain -unormal)
Call Stack (most recent call first):
  /home/sam/work/gitlab/cmake-git-version-tracking/git_watcher.cmake:162 (RunGitCommand)
  /home/sam/work/gitlab/cmake-git-version-tracking/git_watcher.cmake:289 (GetGitState)
  /home/sam/work/gitlab/cmake-git-version-tracking/git_watcher.cmake:356 (CheckGit)
  /home/sam/work/gitlab/cmake-git-version-tracking/git_watcher.cmake:367 (Main)

This seems to be due to this change: https://github.blog/2022-04-12-git-security-vulnerability-announced/

I am trying to come up with a general purpose solution, but don't have any ideas right now.

shabiel avatar May 31 '22 16:05 shabiel

I would like to mention that there may be a path forward by depending on the .git/index file for changes. If I can figure it out, I will send a PR.

shabiel avatar May 31 '22 17:05 shabiel

Thanks for the issue - it's a tough one to navigate. The crux is that git needs to run to determine if anything has changed, but it won't run under the root user if they're not an owner. Here are the options that I've considered:

  • When running make install as root, catch the error and add safe.directory to the root user's git config. This is a poor option; a developer doesn't expect make install to be making persistent changes to root's git config.
  • When running make install as root, layer in a new temporary configuration file that adds save.directory. Best as I can tell, they're no way to do this with git (e.g. GIT_CONFIG_PATH=X).

Neither of those options are palatable; the best option I can come up with is this:

  • When running make install as root, allow the revision checking to fail with a loud warning if it gets blocked by the safe.directory error message. Maybe with a toggle to enable/disable the behavior?

It's not a great solution because it weakens the guarantee that the embedded commit hash matches what was built. I'm open to other alternatives.

andrew-hardin avatar May 31 '22 22:05 andrew-hardin

It already fails loudly.

After further reflection, this seems to be a bug with git. Not allowing a root user to do something with a git repository sounds wrong and un-Unixy.

shabiel avatar Jun 02 '22 11:06 shabiel