Skip to content

Commit ce41c83

Browse files
williamsteinwilliamstein
committed
project-runner: trying to address a subtle path issue
1 parent e514e82 commit ce41c83

File tree

2 files changed

+6
-10
lines changed

2 files changed

+6
-10
lines changed

src/packages/project-runner/run/env.ts

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,6 @@ export function getEnvironment({
9191
COCALC_USERNAME: USER,
9292
USER,
9393
COCALC_EXTRA_ENV: extra_env,
94-
// probably want to be more careful with PATH
9594
PATH: `${HOME}/bin:${HOME}/.local/bin:${process.env.PATH}`,
9695
CONAT_SERVER: conatServer,
9796
COCALC_SECRET_TOKEN: secretTokenPath(HOME),

src/packages/project-runner/run/index.ts

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ import { isValidUUID } from "@cocalc/util/misc";
2626
import { reuseInFlight } from "@cocalc/util/reuse-in-flight";
2727
import getLogger from "@cocalc/backend/logger";
2828
import { root } from "@cocalc/backend/data";
29-
import { dirname, join } from "node:path";
29+
import { basename, dirname, join } from "node:path";
3030
import { userInfo } from "node:os";
3131
import { ensureConfFilesExists, setupDataPath, writeSecretToken } from "./util";
3232
import { getEnvironment } from "./env";
@@ -61,6 +61,7 @@ const MOUNTS = {
6161
"-B": ["/dev"],
6262
};
6363

64+
let nodePath = process.execPath;
6465
async function initMounts() {
6566
for (const type in MOUNTS) {
6667
const v: string[] = [];
@@ -77,12 +78,9 @@ async function initMounts() {
7778
// version of node's install available
7879
if (!process.execPath.startsWith("/usr/")) {
7980
// not already in an obvious system-wide place we included above
80-
if (process.execPath.includes("nvm/versions/node/")) {
81-
const j = process.execPath.lastIndexOf("/bin/node");
82-
if (j != -1) {
83-
MOUNTS["-R"].push(process.execPath.slice(0, j));
84-
}
85-
}
81+
// IMPORTANT: take care not to put the binary next to sensitive info!
82+
MOUNTS["-R"].push(`${dirname(process.execPath)}:/cocalc/bin`);
83+
nodePath = join("/cocalc/bin", basename(process.execPath));
8684
}
8785
}
8886

@@ -138,7 +136,6 @@ async function start({
138136
env: config?.env,
139137
HOME: home,
140138
});
141-
env.PATH = dirname(process.argv[0]) + ":" + (env.PATH ?? "");
142139
await setupDataPath(home);
143140
if (config?.secret) {
144141
await writeSecretToken(home, config.secret);
@@ -187,7 +184,7 @@ async function start({
187184
args.push("-B", `${home}:${env.HOME}`);
188185
args.push(...limits(config));
189186
args.push("--");
190-
args.push(process.execPath);
187+
args.push(nodePath);
191188
cmd = nsjail;
192189
}
193190

0 commit comments

Comments
 (0)