5

I am sandboxing R on Ubuntu 11.10 using apparmor. One thing I noticed is that for every png or pdf plot that R creates, it shows the warning:

(process:4589): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied.

However, even though read access to /etc/passwd is denied, everything seems to be working perfectly fine. I do not plan to give R these permissions, as it seems unnecessary for what I want to do. However the recurring warning is somewhat annoying.

A quick grep of "getpwuid" in R/src shows three places where it is called: 

r-base-2.14.2/src/main/platform.c:  stpwd = getpwuid(sb.st_uid);
r-base-2.14.2/src/unix/sys-unix.c:  stpwd = getpwuid(getuid());
r-base-2.14.2/src/unix/sys-unix.c:  stpwd = getpwuid(geteuid());

However, it not really clear to me what this does.

Questions:

  • Why does R need access to the passwd file for creating a plot?
  • Is there any way I can prevent R from trying to call getpwuid_r() when writing to a png or pdf device (without recompiling R)?
Jeroen Ooms
  • 31,998
  • 35
  • 134
  • 207
  • I'd be curious to see the output of `strace(1)` when generating the image; it's hard for me to see why R would want to know the user's name, homedirectory, GECOS, or shell, though shell is the most likely thing it's after. Does your R profile require execute access to `/bin/bash` or `/bin/dash`? (Disclaimer: I'm part of the AppArmor team.) – sarnold Mar 12 '12 at 23:00
  • R does read a lot of `~/.R*` files, even from `~/.R/*` as well. But I thought it does so on startup only. OTOH ~/.Rhistory etc are appended, but again -- the full filename is probably computed just once. – Dirk Eddelbuettel Mar 12 '12 at 23:44
  • Or, if you could suggest a quick way for me to reproduce this on my own, that'd be neat. I know almost nothing about R (despite several half-hearted attempts to learn.) – sarnold Mar 13 '12 at 01:50
  • 2
    Is it really one of those getpwuid calls in R source? The error message is from GLib, and from getpwuid_r - its probably a call in GLib, which has come from one of the graphics libraries (like libPNG) that uses GLib. The real question is then why would a graphics library need to get at /etc/passwd... – Spacedman Mar 13 '12 at 08:17
  • I just tried chmod o-r /etc/passwd and then creating a png in R - no GLib warnings at all. strace'ing R shows it accesses /etc/passwd quite a lot. – Spacedman Mar 13 '12 at 08:30
  • It is very common for plotting libraries to include the user name in the comments of the output file - so that would be my guess as of where it comes from. But as was said earlier, this heavily depends on the exact device you use and may not come from R itself. – Simon Urbanek Mar 14 '12 at 02:06
  • Do you have any updates on this issue @Jeroen? I've overstepped this problem by adding a `deny` rule to `/etc/passwd` in apparmor, so it would not mess up logs - although it leads to a state where you'd never know if a code tries to read that file :( – daroczig Mar 25 '12 at 22:30
  • @daroczig does that work? I thought that would only suppress apparmor warnings... This warning seems to come from glib. – Jeroen Ooms Mar 31 '12 at 03:39
  • Did you ever figure this thing out? – sarnold Jul 24 '12 at 04:24

1 Answers1

0

The R internal function file.info (do_fileinfo in gdb) appears to discover and return lots of information about files including username.

I assume it basically does this for every file loaded in R, but it might be just during package load.

It uses getpwuid to do this.

I'm having performance problems right now in R - due to long latency NIS responses. It's looking up the same user many many times during package loading, which causes me all sorts of problems.

I wish it would cache.

Alex Brown
  • 41,819
  • 10
  • 94
  • 108