phive icon indicating copy to clipboard operation
phive copied to clipboard

Published 20 hours ago verified publisher icon phar-io

Usage on bitbucket pipelines not possible due to "chmod(): Operation not permitted"

Open JoshuaBehrens opened this issue 3 years ago • 3 comments

I have an issue using phive on bitbucket pipelines. On there chmod operation is forbidden. I already have the tools (target name is bin) directory for non-phive tools but the ensure method tries to ensure the access of the directory. It is 0777 and phive tries to force 0755.

[ERROR]   An error occurred while processing your request:
          Creating directory "./bin" failed.
          
          #0 vendor/phar-io/filesystem/src/Directory.php(79)
          #1 src/shared/config/PhiveXmlConfig.php(231): PharIo\FileSystem\Directory->ensureExists()
          #2 src/shared/config/PhiveXmlConfig.php(129): PharIo\Phive\PhiveXmlConfig->nodeToConfiguredPhar()
          #3 src/commands/install/InstallCommandConfig.php(94): PharIo\Phive\PhiveXmlConfig->getPhars()
          #4 src/commands/install/InstallCommandConfig.php(72): PharIo\Phive\InstallCommandConfig->getPharsFromPhiveXmlConfig()
          #5 src/commands/install/InstallCommand.php(45): PharIo\Phive\InstallCommandConfig->getRequestedPhars()
          #6 src/shared/cli/Runner.php(241): PharIo\Phive\InstallCommand->execute()
          #7 src/shared/cli/Runner.php(95): PharIo\Phive\Cli\Runner->execute()
          #8 (354): PharIo\Phive\Cli\Runner->run()
          #9 {main}
          Environment: PHP 7.4.32 (on Linux 5.15.0-1019-aws)
          Phive Version: 0.15.1

https://github.com/phar-io/filesystem/blob/master/src/Directory.php#L75-L77

To change phive I would need to either separate chmod from mkdir and this is not in phive itself, or I need to add a check before chmod whether operation will fail (and I am not sure yet how to check lsattr does not show immutable flag) to skip it if it will fail for permission reasons.

Any ideas how to approach this? I am keen to make pull requests for this but I am not sure what is a good way

JoshuaBehrens avatar Oct 09 '22 21:10 JoshuaBehrens

Still pondering about this. I'm not happy to "allow" 777, because that's quite a dangerous mode from a security perspective. Best would be 700 but that's of course a bit too strict for most use cases.

I'll think about it some more :)

theseer avatar Oct 14 '22 09:10 theseer

I guess we'll have to remove the enforcing from the library - which probably is a good idea either way ;) - and add an option to phive to allow insecure directory permissions.

theseer avatar Oct 14 '22 10:10 theseer

I can do that :) thank you for your thoughts

JoshuaBehrens avatar Oct 14 '22 16:10 JoshuaBehrens