Draft
fix: set umask 022 in AWF wrapper to prevent chroot hosts EACCES on rootless runners#46188
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The AWF bundle uses `mkdtempSync` to create the chroot hosts staging directory. On rootless GitHub-hosted runners the ambient umask can mask the execute bit (e.g. umask 0111 turns mkdtemp's default mode 0700 into 0600). A directory with mode=600 has no execute bit, so the owning process cannot create files inside it, causing a fatal EACCES when AWF tries to write /etc/hosts. The fix sets `umask 022` in the AWF wrapper script before `exec`ing Node.js. Because `exec` preserves the calling process's umask, Node.js (and thus AWF's mkdtempSync calls) inherit umask 022, ensuring the chroot staging directory is created with mode=700 (owner read/write/execute). With this fix the primary write to chroot-<name>/hosts succeeds and the broken fallback that was using a wrong /tmp/awf-chroot-<random> path is never reached. Regression tests added to install_awf_binary_test.sh: - Test 7: wrapper script contains 'umask 022' - Test 8: mkdtemp produces mode=700 (not 600) under umask 022 Closes #46172 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Test 7 now directly checks install_awf_binary.sh for 'umask 022' in the wrapper template instead of creating a fake wrapper, making it a real regression guard - Test 8 uses $((0700)) arithmetic expansion for cleaner octal comparison instead of the opaque decimal literal 448 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix chroot hosts-file write in awf sandbox config generation
fix: set umask 022 in AWF wrapper to prevent chroot hosts EACCES on rootless runners
Jul 17, 2026
This comment has been minimized.
This comment has been minimized.
1 similar comment
Contributor
|
Hey
If you would like a hand finalizing this:
|
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On rootless GitHub-hosted runners, AWF's
writeConfigsfatally crashes withEACCESwhen writing the chroot/etc/hostsfile, blocking all Smoke CI agent runs (100% failure rate, 31+ affected runs).Root cause:
mkdtempSyncapplies the process umask to its default mode0700. A restrictive ambient umask (e.g.0111, masking the execute bit) producesmode=600on the staging directory — a directory without execute cannot be entered even by its owner. The fallback path compounds the issue by writing to a freshly-created/tmp/awf-chroot-<random>dir (wrong path, same permissions problem) instead of the already-createdhostsRootDir.Changes
actions/setup/sh/install_awf_binary.sh— addsumask 022to the generated AWF wrapper script beforeexecing Node.js. Sinceexecpreserves the calling process's umask, Node.js inherits it, ensuringmkdtempSyncproducesmode=700:With the primary write now succeeding, the broken fallback is never reached.
actions/setup/sh/install_awf_binary_test.sh— two regression tests:install_awf_binary.shcontainsumask 022in the wrapper templatemkdtempSyncunderumask 022producesmode=0700(functional guard against the rootless EACCES scenario)