Skip to content

fix: set umask 022 in AWF wrapper to prevent chroot hosts EACCES on rootless runners#46188

Draft
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/aw-failures-fix-chroot-hosts-file
Draft

fix: set umask 022 in AWF wrapper to prevent chroot hosts EACCES on rootless runners#46188
pelikhan with Copilot wants to merge 4 commits into
mainfrom
copilot/aw-failures-fix-chroot-hosts-file

Conversation

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

On rootless GitHub-hosted runners, AWF's writeConfigs fatally crashes with EACCES when writing the chroot /etc/hosts file, blocking all Smoke CI agent runs (100% failure rate, 31+ affected runs).

Root cause: mkdtempSync applies the process umask to its default mode 0700. A restrictive ambient umask (e.g. 0111, masking the execute bit) produces mode=600 on the staging directory — a directory without execute cannot be entered even by its owner. The fallback path compounds the issue by writing to a freshly-created /tmp/awf-chroot-<random> dir (wrong path, same permissions problem) instead of the already-created hostsRootDir.

Changes

  • actions/setup/sh/install_awf_binary.sh — adds umask 022 to the generated AWF wrapper script before execing Node.js. Since exec preserves the calling process's umask, Node.js inherits it, ensuring mkdtempSync produces mode=700:

    #!/bin/bash
    # Ensure directories created by AWF (e.g. chroot hosts staging dir) have the
    # execute bit set. A restrictive ambient umask (e.g. masking bit 0100) turns
    # mkdtemp's default 0700 into 0600, making the directory non-traversable and
    # causing EACCES on rootless GitHub-hosted runners.
    umask 022
    exec "/path/to/node" "/path/to/awf-bundle.js" "$@"

    With the primary write now succeeding, the broken fallback is never reached.

  • actions/setup/sh/install_awf_binary_test.sh — two regression tests:

    • Test 7: asserts install_awf_binary.sh contains umask 022 in the wrapper template
    • Test 8: asserts mkdtempSync under umask 022 produces mode=0700 (functional guard against the rootless EACCES scenario)

Copilot AI and others added 3 commits July 17, 2026 09:15
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The AWF bundle uses `mkdtempSync` to create the chroot hosts staging
directory. On rootless GitHub-hosted runners the ambient umask can mask
the execute bit (e.g. umask 0111 turns mkdtemp's default mode 0700 into
0600). A directory with mode=600 has no execute bit, so the owning
process cannot create files inside it, causing a fatal EACCES when AWF
tries to write /etc/hosts.

The fix sets `umask 022` in the AWF wrapper script before `exec`ing
Node.js. Because `exec` preserves the calling process's umask, Node.js
(and thus AWF's mkdtempSync calls) inherit umask 022, ensuring the chroot
staging directory is created with mode=700 (owner read/write/execute).

With this fix the primary write to chroot-<name>/hosts succeeds and the
broken fallback that was using a wrong /tmp/awf-chroot-<random> path is
never reached.

Regression tests added to install_awf_binary_test.sh:
- Test 7: wrapper script contains 'umask 022'
- Test 8: mkdtemp produces mode=700 (not 600) under umask 022

Closes #46172

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Test 7 now directly checks install_awf_binary.sh for 'umask 022' in
  the wrapper template instead of creating a fake wrapper, making it
  a real regression guard
- Test 8 uses $((0700)) arithmetic expansion for cleaner octal comparison
  instead of the opaque decimal literal 448

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix chroot hosts-file write in awf sandbox config generation fix: set umask 022 in AWF wrapper to prevent chroot hosts EACCES on rootless runners Jul 17, 2026
Copilot AI requested a review from pelikhan July 17, 2026 09:32
@github-actions

This comment has been minimized.

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

Hey @app/copilot-swe-agent 👋 — thanks for the fix on the umask issue in the AWF wrapper script! A few things to address before this is ready:

  • Remove WIP status — the [WIP] prefix in the title suggests this is not ready for review yet. Please update the title and confirm the changes are complete.
  • Expand the PR description — the checklist-style body is minimal. Consider adding a brief explanation of the root cause, what the fix does, and any edge cases considered.

If you would like a hand finalizing this:

Update PR #46188: remove the [WIP] prefix from the title and expand the PR description to explain the root cause of the umask 022 issue in the AWF wrapper script, what the fix does, and any edge cases considered.

Generated by ✅ Contribution Check · 74.6 AIC · ⌖ 16.7 AIC · ⊞ 6.2K ·

@pelikhan pelikhan added the awf label Jul 17, 2026
@pelikhan

Copy link
Copy Markdown
Collaborator

@lpcox

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[aw-failures] [aw-fix] Rootless chroot hosts-file EACCES crashes awf sandbox config generation (blocks Smoke CI)

2 participants