Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: compinit security warning when installing completions from gh-r as root user #556

Closed
yyykt opened this issue Aug 5, 2023 · 1 comment · Fixed by #557
Closed

[bug]: compinit security warning when installing completions from gh-r as root user #556

yyykt opened this issue Aug 5, 2023 · 1 comment · Fixed by #557
Assignees
@vladdoster
Labels
bug Something isn't working released

Comments

@yyykt
Copy link
Contributor

yyykt commented Aug 5, 2023

What happened?

When running zinit as root (e.g., in a container) and installing a completion from gh-r, I encountered a complaint from compinit saying: 'zsh compinit: insecure files, run compaudit for list.' This warning appears because the owner of the completion file is different from the current user (root). The root cause of this issue is the behavior of the tar command used to extract the archive from gh-r.

       --no-same-owner
              Extract files as yourself (default for ordinary users).
       --same-owner
              Try extracting files with the same ownership as exists in the archive (default for superuser).

To fix this, we can pass the --no-same-owner option explicitly to the tar command when extracting the archive.

Steps to reproduce

Here is an example taken from the wiki.
As root, install ripgrep as follows:

zi for \
    from'gh-r' \
    sbin'**/rg -> rg' \
  BurntSushi/ripgrep

Relevant output

After running the above installation, the compinit command shows the following message:


zsh compinit: insecure files, run compaudit for list.
Ignore insecure files and continue [y] or abort compinit [n]?

Here's the output of compaudit:

There are insecure files:
/root/.local/share/zinit/completions/_rg

Here we can observe that the owner/group of the file is different from the current user (root):

> ls -l /root/.local/share/zinit/completions/_rg
lrwxrwxrwx 1 root root 107 Aug  5 13:54 /root/.local/share/zinit/completions/_rg -> /root/.local/share/zinit/plugins/BurntSushi---ripgrep/ripgrep-13.0.0-x86_64-unknown-linux-musl/complete/_rg

> ls -l /root/.local/share/zinit/plugins/BurntSushi---ripgrep/ripgrep-13.0.0-x86_64-unknown-linux-musl/complete/_rg
-rw-r--r-- 1 1001 116 29096 Jun 12  2021 /root/.local/share/zinit/plugins/BurntSushi---ripgrep/ripgrep-13.0.0-x86_64-unknown-linux-musl/complete/_rg



### Screenshots and recordings

_No response_

### Operating System & Version

OS: linux-gnu | Vendor: pc | Machine: x86_64 | CPU: x86_64 | Processor: unknown | Hardware: x86_64

### Zsh version

zsh 5.9 (x86_64-pc-linux-gnu)

### Terminal emulator

xterm

### If using WSL on Windows, which version of WSL

None

### Additional context

I encountered the issue when running on container.

### Code of Conduct

- [X] I agree to follow this project's Code of Conduct
@yyykt yyykt added the bug Something isn't working label Aug 5, 2023
@yyykt yyykt mentioned this issue Aug 5, 2023
Merged
7 tasks
@github-actions GitHub Actions
Copy link

🎉 This issue has been resolved in version 3.13.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vladdoster vladdoster

Labels
bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix the permission issue with 'ziextract' when running it as root yyykt/zinit
2 participants
@vladdoster @yyykt