runtime.a permission deny when build code

[dlin]

$pwd

/var/abs/local/gocode-git/src/src/gocode

$GOPATH=$PWD/../.. go install                                  

open /opt/go/pkg/linux_amd64/runtime.a: permission denied

I think this problem will let Go's system runtime may be hack by  general user.

I'm runing ArchLinux system. And trying to make gocode-git package but failed.

The go-hg package is installed Go as (root owner, golang group), so the file permission is:

$ls -l /opt/go/pkg/linux_amd64/runtime.a 

-rw-rw-r-- 1 root golang 887736 Feb 25 07:52 /opt/go/pkg/linux_amd64/runtime.a

I don't think it is required to build another 'golang' group and let it be written by general user, so I try to 'strace'.

$GOPATH=$PWD/../.. strace go install

....  # finally it show an error message

futex(0x7f7b33469f48, FUTEX_WAIT, 0, {60, 0}open /opt/go/pkg/linux_amd64/runtime.a: permission denied

 <unfinished ... exit status 1>

If your system don't have such problem, could you tell me what's your owner & group id of the installed runtime.a.

[Kyle Lemons]

If you aren't in the golang group, you don't have write permission.  Have you tried joining the group?

[dlin]

I just try to NOT join golang group.

I know, if I join, the process will be successful.

But, why general user can get the write permission to library?

We have GOPATH.  That's enough.

If not, that will cause security hole.

Kyle Lemons於 2012年2月25日星期六UTC+8上午8時54分23秒寫道：

If you aren't in the golang group, you don't have write permission.  Have you tried joining the group?

[Kyle Lemons]

If it's trying to open runtime.a writable, it sounds like it tried to rebuild runtime.a.  I dtraced both "go build" and "go install" and saw no instances of opening anything in GOROOT for writing.

[dlin]

I think 'go install' lack a function to install on $GOPATH if $GOROOT is not writable.

In my case, 'go build' works fine, because it only write to local directory.

Kyle Lemons於 2012年2月25日星期六UTC+8下午2時39分08秒寫道：

If it's trying to open runtime.a writable, it sounds like it tried to rebuild runtime.a.  I dtraced both "go build" and "go install" and saw no instances of opening anything in GOROOT for writing.

On Fri, Feb 24, 2012 at 5:57 PM, dlin  wrote:

I just try to NOT join golang group.

I know, if I join, the process will be successful.

But, why general user can get the write permission to library?

We have GOPATH.  That's enough.

If not, that will cause security hole.

Kyle Lemons於 2012年2月25日星期六UTC+8上午8時54分23秒寫道：

If you aren't in the golang group, you don't have write permission.  Have you tried joining the group?

On Fri, Feb 24, 2012 at 4:40 PM, dlin  wrote:

$pwd

/var/abs/local/gocode-git/src/src/gocode

$GOPATH=$PWD/../.. go install                                  

open /opt/go/pkg/linux_amd64/runtime.a: permission denied

I think this problem will let Go's system runtime may be hack by  general user.

I'm runing ArchLinux system. And trying to make gocode-git package but failed.

The go-hg package is installed Go as (root owner, golang group), so the file permission is:

$ls -l /opt/go/pkg/linux_amd64/runtime.a 

-rw-rw-r-- 1 root golang 887736 Feb 25 07:52 /opt/go/pkg/linux_amd64/runtime.a

I don't think it is required to build another 'golang' group and let it be written by general user, so I try to 'strace'.

$GOPATH=$PWD/../.. strace go install

....  # finally it show an error message

futex(0x7f7b33469f48, FUTEX_WAIT, 0, {60, 0}open /opt/go/pkg/linux_amd64/runtime.a: permission denied

 <unfinished ... exit status 1>

If your system don't have such problem, could you tell me what's your owner & group id of the installed runtime.a.

Kyle Lemons於 2012年2月25日星期六UTC+8下午2時39分08秒寫道：

If it's trying to open runtime.a writable, it sounds like it tried to rebuild runtime.a.  I dtraced both "go build" and "go install" and saw no instances of opening anything in GOROOT for writing.

On Fri, Feb 24, 2012 at 5:57 PM, dlin wrote:

I just try to NOT join golang group.

I know, if I join, the process will be successful.

But, why general user can get the write permission to library?

We have GOPATH.  That's enough.

If not, that will cause security hole.

Kyle Lemons於 2012年2月25日星期六UTC+8上午8時54分23秒寫道：

If you aren't in the golang group, you don't have write permission.  Have you tried joining the group?

On Fri, Feb 24, 2012 at 4:40 PM, dlin  wrote:

$pwd

/var/abs/local/gocode-git/src/src/gocode

$GOPATH=$PWD/../.. go install                                  

open /opt/go/pkg/linux_amd64/runtime.a: permission denied

I think this problem will let Go's system runtime may be hack by  general user.

I'm runing ArchLinux system. And trying to make gocode-git package but failed.

The go-hg package is installed Go as (root owner, golang group), so the file permission is:

$ls -l /opt/go/pkg/linux_amd64/runtime.a 

-rw-rw-r-- 1 root golang 887736 Feb 25 07:52 /opt/go/pkg/linux_amd64/runtime.a

I don't think it is required to build another 'golang' group and let it be written by general user, so I try to 'strace'.

$GOPATH=$PWD/../.. strace go install

....  # finally it show an error message

futex(0x7f7b33469f48, FUTEX_WAIT, 0, {60, 0}open /opt/go/pkg/linux_amd64/runtime.a: permission denied

 <unfinished ... exit status 1>

If your system don't have such problem, could you tell me what's your owner & group id of the installed runtime.a.

Kyle Lemons於 2012年2月25日星期六UTC+8下午2時39分08秒寫道：

If it's trying to open runtime.a writable, it sounds like it tried to rebuild runtime.a.  I dtraced both "go build" and "go install" and saw no instances of opening anything in GOROOT for writing.

[Kyle Lemons]

I think 'go install' lack a function to install on $GOPATH if $GOROOT is not writable.

In my case, 'go build' works fine, because it only write to local directory.

What does "go install -x" say?  I can't reproduce that behavior on my machine, but I may be missing something.

[Daniel Lin]

Kyle,

-x display what's command run.

I guess these steps could let you reproduce.

1. chmod 444 runtime.a

2. download gocode from git

3. make it by 'go build'

4. install it by 'go install'  (It may failed)

[Kyle Lemons]

Daniel,

   As I said, it works fine for me.  The -x should show you what it's installing, and if it tries to install runtime.a, that means it's out of date.

$ chmod 444 $GOROOT/pkg/darwin_amd64/runtime.a

$ go get -d github.com/nsf/gocode

$ cd $GOPATH/src/github.com/nsf/gocode

$ go install -x

WORK=/var/folders/j4/6pdb9s092qzg59177xvh5sh00000gn/T/go-build332334275

mkdir -p $WORK/github.com/nsf/gocode/_obj/

cd /Users/kyle/dev/local/src/github.com/nsf/gocode

$GOROOT/pkg/tool/darwin_amd64/6g -o $WORK/github.com/nsf/gocode/_obj/_go_.6 -p github.com/nsf/gocode -I $WORK ./apropos.go ./autocompletecontext.go ./autocompletefile.go ./config.go ./decl.go ./declcache.go ./gocode.go ./os_posix.go ./package.go ./ripper.go ./rpc.go ./scope.go ./server.go

$GOROOT/pkg/tool/darwin_amd64/pack grc $WORK/github.com/nsf/gocode.a $WORK/github.com/nsf/gocode/_obj/_go_.6

$GOROOT/pkg/tool/darwin_amd64/6l -o $WORK/github.com/nsf/gocode/_obj/a.out -L $WORK $WORK/github.com/nsf/gocode.a

mkdir -p /Users/kyle/dev/local/bin/

cp $WORK/github.com/nsf/gocode/_obj/a.out /Users/kyle/dev/local/bin/gocode

[Peter Harris]

On Sun, Feb 26, 2012 at 1:49 AM, Kyle Lemons wrote:
> Daniel,
>    As I said, it works fine for me.  The -x should show you what it's
> installing, and if it tries to install runtime.a, that means it's out of
> date.

I had the same problem on Windows:
https://code.google.com/p/go/issues/detail?id=1739#c5

At the time, there were no binary packages for other systems. Perhaps
the new Linux/Mac binary packages are broken the same way?

Peter Harris

[dlin]

My system still have such problem even I just pull the newest source.

hg id 7dcd3e23ef74

go get -x github.com/ajstarks/svgo

...

mkdir -p $GOROOT/pkg/linux_amd64/

cp $WORK/runtime.a $GOROOT/pkg/linux_amd64/runtime.a

open /opt/go/pkg/linux_amd64/runtime.a: permission denied

dlin於 2012年2月25日星期六UTC+8上午8時40分23秒寫道：

dlin於 2012年2月25日星期六UTC+8上午8時40分23秒寫道：

dlin於 2012年2月25日星期六UTC+8上午8時40分23秒寫道：

dlin於 2012年2月25日星期六UTC+8上午8時40分23秒寫道：

dlin於 2012年2月25日星期六UTC+8上午8時40分23秒寫道：

[Kyle Lemons]

My guess is that the timestamps on the archive files is the same as or older than the timestamp on the files.  I'm not sure how the archive was built, but it's possible that when it was extracted, the proper arguments weren't used.  You could try recursively touching all of the stdlib .a files (find $GOROOT/pkg -name "*.a" -exec touch {} \;) and see if that makes it happier.

[dlin]

I've tried to touch my /opt/go install directory, it can NOT solve the permission problem.

But, I found it may cause by CGO.

eg.

go get -x github.com/ajstarks/svgo   # workable, it install to GOPATH

go get -x github.com/mattn/go-sqlite3 # failed, it try to install GOROOT

Kyle Lemons於 2012年2月27日星期一UTC+8下午2時27分05秒寫道：

[Dave Cheney]

Is your user permitted to write to /opt/go ?

Were you previously using a packaged go installation from another vendor ?

[dlin]

Said in previous post,

/opt/go -> install as root.root, I don't want normal user has permission to write. (GOROOT here)

$HOME/go -> for install 3rd party packages. Assigned as GOPATH

Dave Cheney於 2012年2月27日星期一UTC+8下午5時50分05秒寫道：

Is your user permitted to write to /opt/go ?

Were you previously using a packaged go installation from another vendor ?

[Dave Cheney]

Ok, I think I understand now. I believe that if you unset GOROOT this
will work as you expected, go get will prefer GOPATH over GOROOT.

However, unless you built your go installation in /opt/go, you may
have other problems

I suggest this

export GOROOT=$HOME/go
export GOROOT_FINAL=/opt/go

build go as normal
cp $HOME/go to $GOROOT_FINAL

then unset both variables, ensure /opt/go/bin is in your path.

Also, check out the build scripts in misc/ adg has done some work
creating scripts to build for various distributions that should
automate this work.

Cheers

Dave

[Kyle Lemons]

I think he's saying that he thinks the binary package is broken.  He doesn't want to build GO at all, he just wants to install it and have it magically work even as users who can't modify GOROOT (which is proscribed by the binary distro, I think).

2012/2/27 Dave Cheney <da...@cheney.net>

[minux]

2012/2/28 Kyle Lemons <kev...@google.com>

I think he's saying that he thinks the binary package is broken.  He doesn't want to build GO at all, he just wants to install it and have it magically work even as users who can't modify GOROOT (which is proscribed by the binary distro, I think).

I think we have to handle this case where $GOROOT is not writable by the current user, but some std package is modified.

[dlin]

Post a bug on http://code.google.com/p/go/issues/detail?id=3149

minux於 2012年2月28日星期二UTC+8上午2時35分49秒寫道：

2012/2/28 Kyle Lemons

[dlin]

I posted 

http://code.google.com/p/go/issues/detail?id=3149

It was closed by fixed.

I tested with tip version 8592a2140513.

It failed.

Is there other people has such problem? Please mark star and comment to the issue.

 

[dlin]

I wish this bug re-open again, please help to vote it or star it.

I think it is important for Go 1 release. 

According to http://code.google.com/p/go/issues/detail?id=3149

There are two people (including me) have the permission problem.

Anybody who is not use ArchLinux, but has this problem too?

[Rémy Oudompheng]

That doesn't answer the question, but I use Archlinux, and I don't
have the problem. I can run ./all.bash, then set the whole Go tree to
read-only, then do other things.

Rémy.

[Rémy Oudompheng]

Le 5 mars 2012 08:13, dlin <dli...@gmail.com> a écrit :

Oh, I didn't see you were using Go packaged using your PKGBUILD. Yes
the Go tool may mishandle read-only trees. However, you should take
this into consideration when writing the packaging script and do the
appropriate "touch" so that mod times are correctly ordered after
packaging.

I also think the title of issue 3149 is incorrect and that the problem
is not with "outside current root" but with "read-only GOROOT".

Rémy.

[Daniel Lin]

Do you mean, if I touch all file packaged with the same timestamp will it solve this problem?

On Mon, Mar 5, 2012 at 15:35, Rémy Oudompheng <remyoud...@gmail.com> wrote:

[Kyle Lemons]

Do you mean, if I touch all file packaged with the same timestamp will it solve this problem?

If you know the packages are up-to-date, you might get away with:

find $GOROOT/pkg/ -name "*.a" -exec touch {} \; 

However, the easiest way is probably to run "go install std" as a user who can modify the tree.

[dlin]

I do touch files several days ago, it failed.  I do more tests today.

Touch files can not work.  I use tip version 65f025a3d227.

1.  touch all files with same timestamp,  then try go get, successful once.

2.  touch all files with same timestamp just before every go get. failed.

3.  touch all files with same timestamp,  then try go get, failed again.

This is not a workable solution for me.

Kyle Lemons於 2012年3月6日星期二UTC+8上午3時56分14秒寫道：

[Kyle Lemons]

And my other suggestion?

[dlin]

Thank you, Kyle.

I test and it works.

sudo go install std

I wish this is temp solution.