Hi all,
I’m playing with platformio and liking it so far. I’m using the esphome docker container to give me a platformio docker container. By default their instructions is to run the container in priviledged mode, which generally means, ‘run as root, do anything’. That’s fine-ish for local development, but when run as a container on a server (like in the home-assistant add-on) it just makes me feel uncomfortable. So I have been exploring to run the container with all capabilities dropped (except for cap_fowner).
My first (arduino) based project worked fine, but to install any dependency, cap_fowner was needed, because platformio unpacks the files without the executable bit set, and then later adds them via a chmod. That’s not perfect, but fine I suppose.
However when I started to build a idf-esp32 based project, I kept getting permission denied errors on the package.json file. Turns out, when unpacking, this was the only file in the archive that was set with -rwxr-x--- permissions. E.g. the ‘others + read’ permission was missing, causing pio pkg install to fail to process the json file. Further more, the file was installed with user 501 and group 50 (or rather, group staff on debian, which is pretty much a hard requirement for ESP based tools due to the gcc requirement), while all other files in the archive where root:root.
This case was about multiple packages, but the first one that bit me was cmake.
So for now, my ‘quick fix’ is to put the user root into the staff group, which then worked, but it’s an unreliable fix. What if the next version of cmake gets packaged with different group number. The fact that this worked for staff is probably more of a coincidence then anything else and makes it unreliable. Also tracking down all package.json that incorrectly set permissions is a nuisance.
So what’s the best approach here. Re-doing all incorrect packages is troublesome, but potentially needed? I couldn’t even find repo’s where these things where stored, but then maybe it’s not even a platformio problem? Maybe platformio should chown root:root; chmod o+r all files in an archive after unpacking, before installing?
Any thoughts?