Update check prevents import if home dir not readable

[Grazfather]

This is the case on pwnable.kr right now

asm@ubuntu:~$ python
Python 2.7.12 (default, Jul  1 2016, 15:12:24)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/pwn/__init__.py", line 16, in <module>
    pwnlib.update.check_automatically()
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/update.py", line 185, in check_automatically
    if should_check():
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/update.py", line 101, in should_check
    if read(cache_file()).strip() == 'never':
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/update.py", line 88, in cache_file
    os.makedirs(cache_dir)
  File "/usr/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/home/asm/.pwntools-cache'

So basically because the update decided to try today, and because pwnable has a weird setup, I can't 'conveniently' use pwntools.

[zachriggle]

Huh. I'll fix this sometime tomorrow, unless you want to contribute a pull request first!

…

On Sun, Nov 27, 2016 at 1:31 PM Grazfather ***@***.***> wrote: This is the case on pwnable.kr right now ***@***.***:~$ python Python 2.7.12 (default, Jul 1 2016, 15:12:24) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information.>>> from pwn import * Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python2.7/dist-packages/pwn/__init__.py", line 16, in <module> pwnlib.update.check_automatically() File "/usr/local/lib/python2.7/dist-packages/pwnlib/update.py", line 185, in check_automatically if should_check(): File "/usr/local/lib/python2.7/dist-packages/pwnlib/update.py", line 101, in should_check if read(cache_file()).strip() == 'never': File "/usr/local/lib/python2.7/dist-packages/pwnlib/update.py", line 88, in cache_file os.makedirs(cache_dir) File "/usr/lib/python2.7/os.py", line 157, in makedirs mkdir(name, mode) OSError: [Errno 13] Permission denied: '/home/asm/.pwntools-cache' So basically because the update decided to try today, and because pwnable has a weird setup, I can't 'conveniently' use pwntools. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#799>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAG0GFpDDlS_Rrq_grXtLygQ8UfFoM0rks5rCeibgaJpZM4K9P22> .

[zachriggle]

You can get around this by setting $HOME to something else, I expect. I see that pwnable.kr has already worked around the issue by creating a .pwntools-caache directory and setting update to never.

I expect that this will break in a few other interesting ways. For example, Mako requires caching templates someplace.

>>> from pwn import *
>>> asm(shellcraft.sh())
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/shellcraft/__init__.py", line 79, in __getattr__
    return getattr(m, key)
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/shellcraft/__init__.py", line 79, in __getattr__
    return getattr(m, key)
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/shellcraft/__init__.py", line 73, in __getattr__
    real = internal.make_function(key, self._shellcodes[key], self._dir)
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/shellcraft/internal.py", line 103, in make_function
    template   = lookup_template(path)
  File "/usr/local/lib/python2.7/dist-packages/pwnlib/shellcraft/internal.py", line 74, in lookup_template
    loaded[filename] = lookup.get_template(filename)
  File "/usr/local/lib/python2.7/dist-packages/mako/lookup.py", line 256, in get_template
    return self._load(srcfile, uri)
  File "/usr/local/lib/python2.7/dist-packages/mako/lookup.py", line 321, in _load
    **self.template_args)
  File "/usr/local/lib/python2.7/dist-packages/mako/template.py", line 322, in __init__
    module = self._compile_from_file(path, filename)
  File "/usr/local/lib/python2.7/dist-packages/mako/template.py", line 368, in _compile_from_file
    util.verify_directory(os.path.dirname(path))
  File "/usr/local/lib/python2.7/dist-packages/mako/util.py", line 60, in verify_directory
    os.makedirs(dir, compat.octal("0775"))
  File "/usr/lib/python2.7/os.py", line 150, in makedirs
    makedirs(head, mode)
  File "/usr/lib/python2.7/os.py", line 150, in makedirs
    makedirs(head, mode)
  File "/usr/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
OSError: [Errno 13] Permission denied: '/home/unexploitable/.pwntools-cache/mako'

[Grazfather]

Glad to see that pwnable has worked around it. Maybe auto-check should be opt-in? I have it setup on a pwning box, for example, in site-packages, where the update check might work but anyone with a shell account will see but cannot update it.

Either way, I worked around it (I forget how) on pwnable, and have it working locally, so mostly just wanted to bring this to your attention.

[zachriggle]

The intent of the update check is to inform users of the package, even if they cannot update it themselves.

Most of this is to avoid support requests for outdated versions.

In the case of pwnable.kr where there is no way to persist version checks, I'm not sure how to best handle the situation. I don't think that any combination of permissions would allow updating mtime on a file and no other changes.

In any case, the Pull Request adds some code which removes the need for any cache directory to exist anywhere.

[zachriggle]

Users that wish to manually perform the check can still use pwn update, even without a cache-dir, after this pull request lands.

$ chmod 000 ~/.pwntools-cache
$ pwn update
[*] You have the latest version of Pwntools (3.2.0)

[zachriggle]

Fixed via #814