From 4623f8c20995a72695fed05e754ed859dc890a98 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Sun, 21 Jun 2026 17:27:31 +0200 Subject: [PATCH] fix(bootstrap): pre-create daemon staging dir in agent jails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Second root cause of the jail-spawn EACCES (found via truss, docs PR #132): for staged spawns the daemon writes launch.sh/env.sh under /var/run/colibri-stage//, but nothing created /var/run/colibri-stage. The daemon runs as clawdie and cannot mkdir under root-owned /var/run, so staging failed with Permission denied. agent-jail-bootstrap.sh now pre-creates the dir owned by the daemon user (0700), replacing the runtime `chmod 777` workaround — durable across jail rebuilds and not world-writable (staged files are sourced as shell, so a world-writable staging dir would be a privilege footgun). DAEMON_USER is overridable, defaulting to clawdie. Co-Authored-By: Claude Opus 4.8 --- packaging/freebsd/agent-jail-bootstrap.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packaging/freebsd/agent-jail-bootstrap.sh b/packaging/freebsd/agent-jail-bootstrap.sh index a87e3a1..7ef579d 100755 --- a/packaging/freebsd/agent-jail-bootstrap.sh +++ b/packaging/freebsd/agent-jail-bootstrap.sh @@ -11,6 +11,7 @@ set -eu JAIL_NAME="${1:-}" PKG_CACHE_DIR="${PKG_CACHE_DIR:-/var/cache/pkg}" +DAEMON_USER="${DAEMON_USER:-clawdie}" # The jail name becomes a path component, so reject anything that could escape # /usr/local/bastille/jails//root (empty, traversal, odd characters). @@ -97,4 +98,11 @@ if ! grep -q '/etc/profile.d/clawdie-npm.sh' "${JAIL_ROOT}/etc/profile" 2>/dev/n >> "${JAIL_ROOT}/etc/profile" fi +# Pre-create the daemon's per-spawn staging directory. The daemon runs as +# ${DAEMON_USER} and stages launch.sh/env.sh under subdirs here, so +# it must own this directory. Created clawdie-owned 0700 rather than left for a +# root-owned /var/run to block (the spawn EACCES) or patched world-writable. +install -d -o "${DAEMON_USER}" -g "${DAEMON_USER}" -m 0700 \ + "${JAIL_ROOT}/var/run/colibri-stage" + echo "Done — ${JAIL_NAME} ready for vault provision." -- 2.45.3