config.sh issue with process sandboxing on macos

[raphael-proust]

In an opam-repository PR, we observed the following error:

#=== ERROR while compiling afl-persistent.1.4 =================================#
# context              2.2.0~alpha2 | macos/x86_64 | ocaml-base-compiler.4.14.1 | file:///Users/mac1000/opam-repository
# path                 ~/.opam/4.14.1/.opam-switch/build/afl-persistent.1.4
# command              ~/.opam/opam-init/hooks/sandbox.sh build ./config.sh
# exit-code            1
# env-file             ~/.opam/log/afl-persistent-61874-2bd2b7.env
# output-file          ~/.opam/log/afl-persistent-61874-2bd2b7.out
### output ###
# ./config.sh: line 17: cannot create temp file for here document: Operation not permitted

AFAweCT, the issue is that macos ships an old version of bash which creates a temporary file for the heredoc (the part in between <<EOF and EOF which is not allowed by sandboxing in /.

Suggested fix:
Replace cd / by cd .. on line 14 in config.sh

[shym]

In fact bash should create the temporary file in /tmp or some other system temporary directory. I wonder whether the sandboxing allows that. Another workaround could be to use a printf '...' maybe?

[raphael-proust]

bash should, and bash would, but macos ships a bash version that is dated, as in a version that is nearly old enough to drink. Apparently that old version of bash doesn't default to /tmp for heredoc content. It's difficult to confirm this though: I don't have access to the right machine to test it.

---

The sandboxing is meant to allow files in /tmp. In fact the first part of the script does use the temporary directory which succeeds.

[mseri]

It can be fixed with a microscopic patch: ocaml/opam-repository#25144
I'll send a PR

[stedolan]

Sorry this took me absurdly long to reply to! @mseri's microscopic patch looks good. I've merged #14, but I won't bother releasing a new package version, since the version of 1.4 on OPAM includes this patch already (thanks to ocaml/opam-repository#25144)