mjl blog
November 27th 2017

Running accountless for fun and ...

Want to see your software break? Run it in an way that is slightly different than usual. For example under a UID that doesn’t have a system account.

I’ve been using Ding to build software. Both Go software and Java software. Resulting in three instances of “fun”.

Fun #1 - “?” as home directory

The Java project I was compiling uses maven. Before compiling the code, it will first fetch dependencies. Normally maven stores downloaded dependencies in the users’s home directory, in a directory called “.m2”. Not so when in an isolated build with Ding. Under Ding it fetches dependencies and stores them in $PWD/?/.m2. That’s right. It just creates a new directory named “?” where ever it happens to be running, pretending that’s the home directory.

Initially, I figured it would be a bug in maven. Ding runs builds under unique user id’s. Those UIDs don’t have a regular system account. They don’t have to under unix. The kernel doesn’t care or even know about those accounts. But it seems maven does really want to care about regular system accounts… Not very unix-like. But maven isn’t high on my “software-that-behaves-appropriately-on-unix”-list (if I would have one), because it also insist on writing color escape codes to terminals that don’t implement them. Anyway, properly behaving software would store files in $HOME, not what the system claims a home directory is. But maven just gets completely confused when there is no regular system user home. Silly.

Turns out it is even worse. All of Java can’t handle running under a UID that doesn’t have a user associated with it. After some googling, I found that it’s not really maven’s fault. Maven just asks the JVM what the user homedir is. And the JVM says it’s “?”, that question mark directoy. Here’s how to “fix” the problem:

export JAVA_TOOL_OPTIONS=-Duser.home=$HOME

Set that as global as possible, and you’re good to go.

Fun #2 - Hanging builds due to xcode

While building a program using Ding on macOS, the build would hang. I was writing new code for Ding, so figured it must be my own fault. Couldn’t find the problem though. After some searching, it turned out that “go build” was hanging. Because it was running xcodebuild -license check. And it turns out that will hang indefinitely on macOS High Sierra when run under a UID that doesn’t have a user account on the system.

Fun #3 - No SSH for you

While buildling Ding I ran into a limitation of ssh, the OpenSSH client. Ding is a build server, and the first step of building software is fetching the source code. Typically with git or mercurial. Often over SSH if it’s a private repository. I would like to run the git/hg clone - which runs the ssh client - under a unique random UID. Not under the same UID as the webserver. Unfortunately, computer says no. If you try to do that, ssh will tell you:

No user exists for uid 10010

And it is right! But so what? No reason not to do your job, is it? I can imagine the ssh code has a design where it helps to know the system account. But that still isn’t a very good reason… I decided to look into the code. It’s right here: https://github.com/openssh/openssh-portable/blob/939b30ba23848b572e15bf92f0f1a3d9cf3acc2b/ssh.c#L577. Unfortunately the comments don’t say why.


Disappointment. Fun and disappointment.

A lot of software tries to be smart and helpful. They end up looking silly. They try too hard and break on unimportant details.

Lesson? Don’t try too hard and don’t try to be smart.