pex: Problem running PEX files with restricted permissions
When running PEX files, PexInfo determines the install_cache path based on the pex_root path, which in turn can be set in the PEX-INFO file - but isn’t.
That means it defaults to ~/.pex for writing the install cache - which fails when that path isn’t writeable for the user. That can happen - is common practice, even - when securing a system against unwanted file system access. Writing to the home directory, for example, can modify environment variables in unwanted ways.
There’s a number of things that could be improved in the approach of defaulting to ~/.pex, but different requirements here would conflict with each other - so I’ll leave that discussion to other people. The main point, though, is that it would be very, very useful if one could set the pex_root value that goes into the PEX-INFO file, so that you can effectively choose other paths for the install_cache. If additionally, install_cache could be overridden as well, that’d be excellent.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 20 (6 by maintainers)
Commits related to this issue
- Adding `--runtime-pex-root` option. (#780) Adding the option to set the PEX root in in built PEXes. The option already existed for use from the PexInfo API but was not exposed to the CLI. Work... — committed to pex-tool/pex by yelly 4 years ago
- TODO: 1. A good commit message is needed. 2. Tests. Fixes #746 Fixes #816 Fixes #926 — committed to jsirois/pex by jsirois 4 years ago
- Sanitize `PEX_ROOT` handling. In the past, portions of the pex cache could be controlled individually but this was no longer the case in practice nor was it desirable. Unify all cache handling under ... — committed to jsirois/pex by jsirois 4 years ago
- Sanitize PEX_ROOT handling. (#929) In the past, portions of the pex cache could be controlled individually but this was no longer the case in practice nor was it desirable. Unify all cache handling... — committed to pex-tool/pex by jsirois 4 years ago
@jfinkhaeuser thanks for working through the problem space with me. This definitely softened me to the idea. We now have
--runtime-pex-rootfor setting the PEX_ROOT to use in the PEX metadata from #780 and #929 adds fallback to a writeable temporary directory with a warning to stderr if it so happens the pex is deployed somewhere where its--runtime-pex-rootdoes not exist or cannot be written to. These features will ship with Pex 2.1.7 shortly.