watchman: use default state directory (TMPDIR).
#173850
Conversation
github-actions
bot
added
python
There was a problem hiding this comment.
Mild "request changes". (Feel free to dismiss if you feel strongly enough that my objections aren't significant enough.)
- I'd rather have multiple other users complain about this before we decide we're no longer erring on the side of caution re security hardening.
- IIRC the state directory also contains (a) logs, and (b) the configuration for watched directories. I'd rather not have these disappear on restart (especially (b)).
MikeMcQuaid
force-pushed
the
watchman-tmp
branch
from
3b5d6eb to
4cc4889
Compare
MikeMcQuaid
changed the title
/tmp as state directory.TMPDIR).
carlocab
dismissed
their stale review
Withdrawing my objection, but would be good to know for certain about how this handles logs and configuration on restart.
We can also remove the pour_bottle? check with this (since we no longer hardcode HOMEBREW_PREFIX).
Doing this: - avoids the need for ` post_install` - avoids permissions errors when running `watchman` as a user that didn't install it via Homebrew: ``` 2024-06-03T13:36:47,061: [] the owner of /opt/homebrew/var/run/watchman/mike-state is uid 502 and doesn't match your euid 501 ```
MikeMcQuaid
force-pushed
the
watchman-tmp
branch
from
4cc4889 to
c972f9d
Compare
This will fail in any multi-user configuration and I know of several users already experiencing this.
As @Bo98 said above: we're now deferring to the upstream defaults here which seems sufficiently secure/sensible. Looks from d4b49b9/#1836 which originally added the custom I've used That said: any daemons that are running when you |
@carlocab is this bottle caching related? if so: could you take a look? |
Yep, it is. It's been on my to-do list. |
There was a problem hiding this comment.
As @Bo98 said above: we're now deferring to the upstream defaults here which seems sufficiently secure/sensible. Looks from d4b49b9/#1836 which originally added the custom
statedirthat, at the time, it defaulted to a location inside the prefix rather thanTMPDIR.
This is not the upstream default. The upstream default is here:
The listed description even indicates that the directory must be persistent.
I've used
watchmanfor a few years and have never personally needed to retain either of these items.
I have also been using watchman for a few years, and I need the state directory to persist across restarts. watchman installs a plist into ~/Library/LaunchAgents precisely so that it can continue watching directories (and behave as configured in response to certain events) after restart.
Blowing away the Watchman configuration upon restart makes the launch agent useless.
That said: any daemons that are running when you
brew reinstall watchmanorbrew upgrade watchmanwill be unaffected without a close and restart.
Not sure what you mean by this exactly. Could you elaborate?
I guess it depends on how you define "upstream default"; I was intending it as "upstream default if no value is set".
I would be fine with not installing it if that's the case.
Just that a change like this PR will not break |
This allows for symlink attacks that make upstream dislike using `/tmp`. Also, while we're here, let's fix some indirect linkage. See also #173850.
|
Sadly #174554 was not sufficient to resolve the issues here. I've seen it personally and with several other users in person. |
Doing this:
post_installwatchmanas a user that didn't install it via Homebrew: