clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 48

fix(bootstrap): pre-create daemon staging dir in agent jails #133

Merged
clawdie merged 1 commit from absolute-spawn-wrappers into main 2026-06-21 17:30:49 +02:00
Conversation 0 Commits 1 Files changed 1 +8
clawdie commented 2026-06-21 17:28:36 +02:00
Owner
Copy link

Second root cause of the jail-spawn EACCES (found via truss, docs PR #132):
for staged spawns the daemon writes launch.sh/env.sh under
<jail_root>/var/run/colibri-stage/<stage_id>/, but nothing created
/var/run/colibri-stage. The daemon runs as clawdie and cannot mkdir under
root-owned /var/run, so staging failed with Permission denied.

agent-jail-bootstrap.sh now pre-creates the dir owned by the daemon user
(0700), replacing the runtime chmod 777 workaround — durable across jail
rebuilds and not world-writable (staged files are sourced as shell, so a
world-writable staging dir would be a privilege footgun). DAEMON_USER is
overridable, defaulting to clawdie.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com

Second root cause of the jail-spawn EACCES (found via truss, docs PR #132): for staged spawns the daemon writes launch.sh/env.sh under <jail_root>/var/run/colibri-stage/<stage_id>/, but nothing created /var/run/colibri-stage. The daemon runs as clawdie and cannot mkdir under root-owned /var/run, so staging failed with Permission denied. agent-jail-bootstrap.sh now pre-creates the dir owned by the daemon user (0700), replacing the runtime `chmod 777` workaround — durable across jail rebuilds and not world-writable (staged files are sourced as shell, so a world-writable staging dir would be a privilege footgun). DAEMON_USER is overridable, defaulting to clawdie. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie added 1 commit 2026-06-21 17:28:41 +02:00
fix(bootstrap): pre-create daemon staging dir in agent jails
Some checks failed
CI / agent-jail-pkgs (pull_request) Has been cancelled
Details
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details
CI / port (pull_request) Has been cancelled
Details
1233b8fbcd 
Second root cause of the jail-spawn EACCES (found via truss, docs PR #132):
for staged spawns the daemon writes launch.sh/env.sh under
<jail_root>/var/run/colibri-stage/<stage_id>/, but nothing created
/var/run/colibri-stage. The daemon runs as clawdie and cannot mkdir under
root-owned /var/run, so staging failed with Permission denied.

agent-jail-bootstrap.sh now pre-creates the dir owned by the daemon user
(0700), replacing the runtime `chmod 777` workaround — durable across jail
rebuilds and not world-writable (staged files are sourced as shell, so a
world-writable staging dir would be a privilege footgun). DAEMON_USER is
overridable, defaulting to clawdie.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie merged commit 35f1f3f7b0 into main 2026-06-21 17:30:49 +02:00
clawdie deleted branch absolute-spawn-wrappers 2026-06-21 17:30:50 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
first-proof blocker

gates the first proven end-to-end

  
hardening

security/robustness follow-up, not a first-proof gate

No labels
first-proof blocker
hardening
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#133
No description provided.
Delete branch "absolute-spawn-wrappers"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?