Closed: Just switched to ssh until I can resolve the perl issue....Permission denied when running perl script

Closed: Thanks to all who replied.

TLDR: Can’t locate Getopt/ /root/share/perl5/Getopt/ Permission denied

I’m setting up the i3 spin and prefer to use netrc for my git credential helper. For those who don’t know it’s a perl script that encrypts and decrypts your git credentials so you don’t have to log in every time you want to update a private repo. It uses the perl module Getopt::long. I’ve verified that it is installed and available when I use sudo but without I get permission denied. I need to use it without sudo since the sudo environment doesn’t have the rest of my git settings. I’ve verified file permissions to the script and perl module so I’m guessing it’s some sort of SeLnux issue. Being new to SeLinux I have no idea where to find the cause or what to do next. Help?

If it helps heres a link to the script in question

Try perl -V, at the end of the output, after @INC, will be a list of directories automatically included for libraries. My list includes /usr/share/perl5/vendor_perl, and find /usr -name shows /usr/share/perl5/vendor_perl/Getopt/
You said you verified permissions to the module, so without sudo you did an ls -l /root/share/perl5/Getopt/ and it is world readable, correct?
I’m curious as to where the /root/share/… path came from, but I am clueless about the i3 spin.

You said that is readable, but IMHO and experience anything under /root should never be world readable. That would explain why your regular user cannot read it.

Also, nothing should ever be installed under /root so that path is certainly suspect.

How did you install netrc? It seems that it may have been installed incorrectly if something was put in the /root directory tree.

1 Like

I would strongly suggest using an SSH key to connect with git instead of storing your HTTP credentials this way. If you need encryption/decryption with git repos, git-crypt is in the Fedora repos, but I would suggest using something like Hashicorp Vault instead for managing and consuming credentials in runtime.

Usually one would install Getopt::Long from the Fedora repository.

dnf install  'perl(Getopt::Long)'
1 Like

Indeed it’s looking for the module in the wrong place. Didn’t notice that. The script doesn’t specify a path just “use Getopt::Long;” Perhaps there’s some kind of perl environment variable I need to set.

Yeah did that, Said it was already installed.

To install netrc I cloned the git git repo then copied the script, gave it 755 permissions. That’s usually enough

Can’t test because you did not link the repo used so cannot be sure I am using the same package and cannot look at the code to see what it does nor how it gets installed.

Please link that ‘github’ or ‘gitlab’ site so I can test what you are doing.

Here’s the script

Wow, blast from the past with that one. Seriously, though, using SSH instead is better convenience and security. The RedHat article I linked was an attempt to be Git Vendor agnostic, but really the steps are: create an ssh key (ssh-keygen) and upload the public key (ie, .pub file created from the previous command) to the git provider (or add it to ~/.ssh/authorized_keys of the git repo user if doing it the old school way.)

yeah ssh would be better, but it would also take a lot of time to migrate. Lots of repos in lots of places. As it is it’s only broken on one machine, and that happens to be fedora. I’ll keep messing with it until I either give up on Fedora or bite the bullet and switch to ssh or just fix the dang thing.

Sounds like it’s a good time for you to discover the power of ansible. This could be a one-liner. :slightly_smiling_face:

There is, but you don’t need any of those as long as you install perl and the perl modules from the Fedora repository. As far as I remember, you also don’t need to set any environment variable if you install modules from CPAN,

1 Like

Also see /usr/libexec/git-core/git-credential-netrc . So if you have git installed you already have the file on your system. And it is installed in a place where git will search for it.

1 Like

yep, I had not seen that. There is only one line difference between the one downloaded from the git git repo and the one already installed.

$ diff git-credential-netrc.perl /usr/libexec/git-core/git-credential-netrc
> use lib (split(/:/, $ENV{GITPERLLIB} || '/usr/share/perl5/vendor_perl'));
1 Like

That line is added by the build procedure to adapt to different platforms, for exampe MS-Windows.

Starting from a freshly installed Fedora

dnf install git
git config --global credential.helper netrc

Is all that would have needed to make it work.