Docs: Remove step making cloned repository world-writable for Windows build. #12322

Current documentation for Windows build on Ubuntu suggests cloning the repository into /usr/src, as root, and making the tree world-writable(!). I can see no problem this solves, and it introduces obvious security issues.

I can see no problem this solves

Maybe ask the person that made that change, @sipsorcery, to be sure.

But yes it at least coming from UNIX seems crazy. Then again with the crazy workarounds of the day that seem to be necessary to make things work in WFL, I'm not too surprised.

@murrayn the reason the WSL build steps recommend cloning and building the source in the Linux part of the file system, such as /usr/src, is due to #11685.

If the build is attempted under the Windows file system, such as /mnt/c, the dependency autoconf build scripts fail due to a timestamp issue.

@sipsorcery The document already clearly warns not to build in a mounted Windows directory. It is not necessary to install into /usr/src, nor is it required to be root (I just built it as a regular user in my home directory). But making the src tree world-writable is definitely not required, and is the really problematic part.

I think it's better to be overly prescriptive with the build instructions. The current instructions work and do not create a security risk. If the suggested steps are removed then eventually someone who is less familiar with Linux will try and build outside their home directory and create an issue about permissions.

That all being said I personally don't have a strong opinion about this. If there is a strong opinion about one way or the other then I personally wouldn't have any objections to the PR.

You do see that by changing the permissions to world-writable, any user can replace or edit any of the source files used to do the build? How can you possibly claim this is not a security risk? It is. As is doing any part of the build process as root. Not necessary, and another security risk.

@murrayn the Windows Ubuntu application (aka as Windows Subsystem for Linux) stores the Linux file system in a user specific location within the Windows file system (for example C:\Users\SomeUSer\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs). Changing the Linux file system permissions won't expose the Linux file system to any other Windows users.

I guess if you are running your Windows Ubuntu application as a multi-user system and have set up SSH access then you may want to be more restrictive with the Linux permissions. Otherwise either do the build in your home directory, as you are suggesting, or change the permissions in /usr/src, or elsewhere, as I've suggested, to avoid typing a few extra sudo's.

Doing something like:

    $ sudo mkdir /usr/src/bitcoin
    $ sudo chown $USER /usr/src/bitcoin
    $ git clone https://github.com/bitcoin/bitcoin.git /usr/src/bitcoin
    $ cd /usr/src/bitcoin

seems more plausible to me? Might need to use $USERNAME or $LOGNAME or --reference=$HOME instead of $USER though?

I guess I can't speak to what hacks might be required to build on WSL, but for building on Ubuntu, which the document claims to describe, the instructions are incorrect, and dangerous to boot.

Solving a Linux problem by doing "chmod -R a+rw" almost always means it has been solved incorrectly.

It would help to have a separate section for WFL-specific hacks and one for cross-building from conventional Unix/Linux. None of the WFL hacks is necessary for cross-compiling.

I was recently told of on IRC is that it also recommends to add non-xenial repositories on xenial, this will generally wreck your OS. Yes, building using xenial's mingw-w64 gcc is broken, better just don't do it (use a newer, or older VM) than wreck your system.

@laanwj there is a cautionary footnote in the Windows build doc about updating the package repositories on Xenial, https://github.com/bitcoin/bitcoin/blob/master/doc/build-windows.md#footnote1. Sounds like it might need to be made more prominent if someone has inadvertently messed up their Ubuntu instance.

Based on this discussion I think @murrayn's changes are a good idea. When the instructions were updated a few months ago the focus was on WSL. The implications for native Linux were overlooked.

I have to agree with the seperation of WSL hacks. Coming from building on native OS environments. This documented way of only using WSL for a windows build is a pain.

Give MinGW and Qt Creator some love again :)

Based on this discussion I think @murrayn's changes are a good idea

Okay, then we'll just go ahead and merge this. FWIW instead of /usr/src the home directory of the user also works fine for building, the only thing that doesn't work is building inside a mounted windows disk.