Stage jail spawn files under a daemon-owned path instead of root-owned /var/run #135

New issue

Closed

opened 2026-06-21 17:30:11 +02:00 by clawdie · 0 comments

clawdie commented

2026-06-21 17:30:11 +02:00

Owner

Background

The jail-spawn Permission denied bug (truss analysis in docs/TRUSS-SPAWN-ANALYSIS.md, fixed by #131 + #134) had two causes. The second was that the daemon stages per-spawn launch.sh/env.sh under <jail_root>/var/run/colibri-stage/<stage_id>/, but /var/run is root-owned, so the daemon (running as clawdie) couldn't create the staging subdir.

#134 worked around this by having agent-jail-bootstrap.sh pre-create /var/run/colibri-stage owned by clawdie (0700). That fixes it, but it leaves a structural smell: the daemon writes into a root-owned tree and depends on an external bootstrap step to carve out an owned subdir first.

Proposal

Stage under a path the daemon owns outright, e.g. /var/db/clawdie/stage (or another clawdie-owned location), instead of root-owned /var/run.

Benefits:

The daemon can create/manage the staging tree itself; no dependency on a bootstrap step pre-creating an owned subdir under a root-owned parent.
/var/db is persistent; /var/run is sometimes tmpfs/cleared on boot, which can make the bootstrap-created dir vanish.
Removes the ownership coupling between the bootstrap script and the daemon.

Where

crates/colibri-daemon/src/spawner.rs — STAGED_JAIL_RUN_DIR constant (currently /var/run/colibri-stage) and prepare_spawn_command staging logic.
Once the daemon owns the path, the install -d ... colibri-stage line in packaging/freebsd/agent-jail-bootstrap.sh (#134) can likely be dropped.
Confirm the path resolves correctly inside the jail too — the staged files are referenced by their jail-relative path when jexec'd, so the chosen dir must exist/be writable both on the host side (daemon writes) and reachable jail-side (launcher reads).

Acceptance

Daemon stages spawn files under a clawdie-owned path without any pre-created dir from the bootstrap script.
Jailed spawn with injected env still works (staged env.sh/launch.sh sourced correctly).
No world-writable staging dir anywhere in the path.

Priority

Low — current state (bootstrap pre-creates 0700 clawdie-owned dir) works and is not world-writable. This is a structural cleanup, not a live bug.

## Background The jail-spawn `Permission denied` bug (truss analysis in `docs/TRUSS-SPAWN-ANALYSIS.md`, fixed by #131 + #134) had two causes. The second was that the daemon stages per-spawn `launch.sh`/`env.sh` under `<jail_root>/var/run/colibri-stage/<stage_id>/`, but `/var/run` is root-owned, so the daemon (running as `clawdie`) couldn't create the staging subdir. #134 worked around this by having `agent-jail-bootstrap.sh` pre-create `/var/run/colibri-stage` owned by `clawdie` (`0700`). That fixes it, but it leaves a structural smell: the daemon writes into a root-owned tree and depends on an external bootstrap step to carve out an owned subdir first. ## Proposal Stage under a path the daemon owns outright, e.g. `/var/db/clawdie/stage` (or another `clawdie`-owned location), instead of root-owned `/var/run`. Benefits: - The daemon can create/manage the staging tree itself; no dependency on a bootstrap step pre-creating an owned subdir under a root-owned parent. - `/var/db` is persistent; `/var/run` is sometimes tmpfs/cleared on boot, which can make the bootstrap-created dir vanish. - Removes the ownership coupling between the bootstrap script and the daemon. ## Where - `crates/colibri-daemon/src/spawner.rs` — `STAGED_JAIL_RUN_DIR` constant (currently `/var/run/colibri-stage`) and `prepare_spawn_command` staging logic. - Once the daemon owns the path, the `install -d ... colibri-stage` line in `packaging/freebsd/agent-jail-bootstrap.sh` (#134) can likely be dropped. - Confirm the path resolves correctly **inside** the jail too — the staged files are referenced by their jail-relative path when `jexec`'d, so the chosen dir must exist/be writable both on the host side (daemon writes) and reachable jail-side (launcher reads). ## Acceptance - Daemon stages spawn files under a `clawdie`-owned path without any pre-created dir from the bootstrap script. - Jailed spawn with injected env still works (staged `env.sh`/`launch.sh` sourced correctly). - No world-writable staging dir anywhere in the path. ## Priority Low — current state (bootstrap pre-creates `0700` clawdie-owned dir) works and is not world-writable. This is a structural cleanup, not a live bug.