Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830298

Summary: net-libs/nodejs: Gentoo-specific patch prevents using NPM in custom ebuilds (sandbox violation)
Product: Gentoo Linux Reporter: Raphaël Barrois <gentoo>
Component: Current packagesAssignee: William Hubbs <williamh>
Status: UNCONFIRMED ---    
Severity: normal CC: jstein
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Updated gentoo-specific NPM global config patch

Description Raphaël Barrois 2021-12-30 15:18:22 UTC
For custom ebuilds, I need to run `npm` commands.
However, this step fails with a sandbox access violation:
 * ACCESS DENIED:  mkdir:        /etc/npm

This comes from the custom patch "nodejs-10.3.0-global-npm-config.patch", where NPM is modified to always create /etc/npm.

That folder is actually created by the ebuild ("dodir /etc/npm"); it shouldn't be required to try to create it each time "npm" runs.

I'm attaching a proposed alternate patch, which should fix the issue.

Reproducible: Always

Steps to Reproduce:
(As root)
1. rmdir /etc/npm
2. npm help
3. ls -d /etc/npm
Actual Results:  
The "/etc/npm" folder has been recreated

Expected Results:  
The "/etc/npm" doesn't exist
Comment 1 Raphaël Barrois 2021-12-30 15:23:21 UTC
Created attachment 760857 [details, diff]
Updated gentoo-specific NPM global config patch

Alternate version of the Gentoo-specific NPM global config patch: don't try to create /etc/npm, which has already been created by the ebuild.

This allows ebuilds to call NPM without triggering an access violation.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-30 15:24:16 UTC
(In reply to Raphaël Barrois from comment #0)
> For custom ebuilds, I need to run `npm` commands.
> However, this step fails with a sandbox access violation:
>  * ACCESS DENIED:  mkdir:        /etc/npm
> 
> This comes from the custom patch "nodejs-10.3.0-global-npm-config.patch",
> where NPM is modified to always create /etc/npm.

Here's the patch:

--- a/deps/npm/node_modules/@npmcli/config/lib/index.js
+++ b/deps/npm/node_modules/@npmcli/config/lib/index.js
@@ -275,8 +275,9 @@
     // default the globalconfig file to that location, instead of the default
     // global prefix.  It's weird that `npm get globalconfig --prefix=/foo`
     // returns `/foo/etc/npmrc`, but better to not change it at this point.
+    // gentoo deviates wrt global config; store in /etc/npm
     settableGetter(data, 'globalconfig', () =>
-      resolve(this[_get]('prefix'), 'etc/npmrc'))
+      resolve('/etc', 'npmrc'))
   }

   loadHome () {

That's not /etc/npm, but /etc/npmrc?

> That folder is actually created by the ebuild ("dodir /etc/npm"); it
> shouldn't be required to try to create it each time "npm" runs.
> 
> I'm attaching a proposed alternate patch, which should fix the issue.
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> (As root)
> 1. rmdir /etc/npm
> 2. npm help
> 3. ls -d /etc/npm
> Actual Results:  
> The "/etc/npm" folder has been recreated
> 
> Expected Results:  
> The "/etc/npm" doesn't exist

I'm not sure how nodejs is the problem here. Your ebuilds seem to be calling mkdir on /etc/npm.
Comment 3 Raphaël Barrois 2021-12-30 15:38:42 UTC
(In reply to John Helmert III from comment #2)
> (In reply to Raphaël Barrois from comment #0)
> > For custom ebuilds, I need to run `npm` commands.
> > However, this step fails with a sandbox access violation:
> >  * ACCESS DENIED:  mkdir:        /etc/npm
> > 
> > This comes from the custom patch "nodejs-10.3.0-global-npm-config.patch",
> > where NPM is modified to always create /etc/npm.
> 
> Here's the patch:
> 
> --- a/deps/npm/node_modules/@npmcli/config/lib/index.js
> +++ b/deps/npm/node_modules/@npmcli/config/lib/index.js
> @@ -275,8 +275,9 @@
>      // default the globalconfig file to that location, instead of the
> default
>      // global prefix.  It's weird that `npm get globalconfig --prefix=/foo`
>      // returns `/foo/etc/npmrc`, but better to not change it at this point.
> +    // gentoo deviates wrt global config; store in /etc/npm
>      settableGetter(data, 'globalconfig', () =>
> -      resolve(this[_get]('prefix'), 'etc/npmrc'))
> +      resolve('/etc', 'npmrc'))
>    }
> 
>    loadHome () {
> 
> That's not /etc/npm, but /etc/npmrc?
> 
> > That folder is actually created by the ebuild ("dodir /etc/npm"); it
> > shouldn't be required to try to create it each time "npm" runs.
> > 
> > I'm attaching a proposed alternate patch, which should fix the issue.
> > 
> > Reproducible: Always
> > 
> > Steps to Reproduce:
> > (As root)
> > 1. rmdir /etc/npm
> > 2. npm help
> > 3. ls -d /etc/npm
> > Actual Results:  
> > The "/etc/npm" folder has been recreated
> > 
> > Expected Results:  
> > The "/etc/npm" doesn't exist
> 
> I'm not sure how nodejs is the problem here. Your ebuilds seem to be calling
> mkdir on /etc/npm.

You're looking at the patch for nodejs>=15.2.0, used in nodejs-16.x ebuilds — all are masked.

The current patch has:

+    // gentoo deviates wrt global config; store in /etc/npm
+    var globalconfig = path.resolve('/etc', 'npm')
+    mkdirp(globalconfig, function () {
+      defaults.globalconfig = path.resolve(globalconfig, 'npmrc')
+      defaults.globalignorefile = path.resolve(globalconfig, 'npmignore')
+    })

Note the "mkdirp(globalconfig, ...)"