Debian Bug report logs - #599518
schroot: feature request: ssh-like -X option

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Laban <alsuren+debbugs@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: schroot: feature request: ssh-like -X option

Date: Fri, 08 Oct 2010 12:19:28 +0100

Package: schroot
Version: 1.4.12-1
Severity: wishlist


http://www.debian-administration.org/articles/566 provides a wrapper script
for launching schroot with X enabled. It would be good if schroot supported
this natively via a command line flag, rather than requiring the user to
google for the answer and potentially come up with an insecure solution.

Does the approach given in the article look like the right one?

David.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages schroot depends on:
ii  libboost-filesystem1.42.0     1.42.0-4   filesystem operations (portable pa
ii  libboost-program-options1.42. 1.42.0-4   program options library for C++
ii  libboost-regex1.42.0          1.42.0-4   regular expression library for C++
ii  libboost-system1.42.0         1.42.0-4   Operating system (e.g. diagnostics
ii  libc6                         2.11.2-6   Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.4.4-8  GCC support library
ii  liblockdev1                   1.0.3-1.4  Run-time shared library for lockin
ii  libpam0g                      1.1.1-6    Pluggable Authentication Modules l
ii  libstdc++6                    4.4.4-8    The GNU Standard C++ Library v3
ii  libuuid1                      2.17.2-3.2 Universally Unique ID library
ii  schroot-common                1.4.12-1   common files for schroot

schroot recommends no packages.

Versions of packages schroot suggests:
pn  aufs-modules | unionfs-module <none>     (no description available)
pn  btrfs-tools                   <none>     (no description available)
ii  debootstrap                   1.0.23     Bootstrap a basic Debian system
ii  lvm2                          2.02.66-3  The Linux Logical Volume Manager
ii  unzip                         6.0-4      De-archiver for .zip files

-- Configuration Files:
/etc/schroot/schroot.conf changed [not included]

-- no debconf information

Message #10 received at 599518@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@codelibre.net>

To: David Laban <alsuren+debbugs@gmail.com>, 599518@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#599518: schroot: feature request: ssh-like -X option

Date: Sat, 9 Oct 2010 11:32:49 +0100

[Message part 1 (text/plain, inline)]

On Fri, Oct 08, 2010 at 12:19:28PM +0100, David Laban wrote:
> http://www.debian-administration.org/articles/566 provides a wrapper script
> for launching schroot with X enabled. It would be good if schroot supported
> this natively via a command line flag, rather than requiring the user to
> google for the answer and potentially come up with an insecure solution.
> 
> Does the approach given in the article look like the right one?

I think there's a better approach now.  schroot 1.4 provides a
"desktop" configuration profile specifically for running X
applications.  Look at /etc/schroot/desktop.  Just set
script-config=/etc/schroot/desktop/config (you might need to
double-check the path).

The only change this makes is to bind mount the directory under
/var used for X socket connections.  This means X applications in
the chroot can then automatically use the display.  You do still
need to use -p so the environment is kept (which contains the
X socket path), but that's all you need.

Please do let me know if this isn't sufficient for your needs, and
any extra details can be added to the desktop "profile".


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 599518@bugs.debian.org (full text, mbox, reply):

From: Luca Capello <luca@pca.it>

To: 599518@bugs.debian.org

Cc: David Laban <alsuren+debbugs@gmail.com>, Thomas Koch <thomas@koch.ro>, Roger Leigh <rleigh@codelibre.net>

Subject: Re: Bug#599518: [buildd-tools-devel] Bug#599518: schroot: feature request: ssh-like -X option

Date: Wed, 23 Nov 2011 16:43:34 +0100

[Message part 1 (text/plain, inline)]

tags 599518 + patch
thanks

Hi there!

Thomas Koch (Cc:ed) asked a similar question in another bug, but I guess
his post went probably unseen because he replied to a closed (but not
archived) bug without reopening it:

  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496246#27>

However, I think that the right place for your problem is #599518, thus
continuing the discussion there.

On Wed, 27 Apr 2011 12:07:19 +0200, Thomas Koch wrote:
> I used the following blogpost to get eclipse running in schroot:
> http://masterpatricko.blogspot.com/2011/04/development-and-build-environments_20.html
>
> Although I choosed the Desktop chroot type, I still had to run
> xauth -f /home/thkoch/.Xauthority extract /var/schroot/gerrit/home/thkoch/.Xauthority :0
>
> in the host system and

This is needed if you do not mount /home as you explained later on.

> export DISPLAY=:0
>
> in the chroot.

This is not needed if you use the --preserve-environment option.

> It would be nice, if you could provide some examples in the schroot
> documentation on how these two steps should be automated.
>
> I have commented out the mounting of /home, because I don't want to
> give the chroot access to my gpg keys and other personal settings.

On a clean and up-to-date sid, I can confirm that mounting /home and
using the --preserve-environment option is enough to have X applications
From within the schroot.  However, even with /run/dbus mounted I still
have trouble starting D-Bus applications (like Empathy) if I do not
clean DBUS_SESSION_BUS_ADDRESS, but this has nothing to do here.

OTOH, even when not mounting /home, everything should be OK if you mount
the /var used for X socket connections, according to:

  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599518#10>

On Sat, 09 Oct 2010 12:32:49 +0200, Roger Leigh wrote:
> On Fri, Oct 08, 2010 at 12:19:28PM +0100, David Laban wrote:
>> http://www.debian-administration.org/articles/566 provides a wrapper script
>> for launching schroot with X enabled. It would be good if schroot supported
>> this natively via a command line flag, rather than requiring the user to
>> google for the answer and potentially come up with an insecure solution.
>> 
>> Does the approach given in the article look like the right one?
>
> I think there's a better approach now.  schroot 1.4 provides a
> "desktop" configuration profile specifically for running X
> applications.  Look at /etc/schroot/desktop.  Just set
> script-config=/etc/schroot/desktop/config (you might need to
> double-check the path).
>
> The only change this makes is to bind mount the directory under
> /var used for X socket connections.  This means X applications in
> the chroot can then automatically use the display.  You do still
> need to use -p so the environment is kept (which contains the
> X socket path), but that's all you need.
>
> Please do let me know if this isn't sufficient for your needs, and
> any extra details can be added to the desktop "profile".

At least with XDM, simply mounting the authentication directory does not
seem to be enough, you still need to extract the xauth information as
Thomas suggested:
=====
luca@gismo:~$ schroot -c sid-desktop

(sid-desktop)luca@gismo:~$ export | grep DISPLAY
declare -x DISPLAY=":0.0"

(sid-desktop)luca@gismo:~$ xterm
No protocol specified
xterm Xt error: Can't open display: :0.0

(sid-desktop)luca@gismo:~$ ls /var/lib/xdm/authdir/
ls: cannot open directory /var/lib/xdm/authdir/: Permission denied

(sid-desktop)luca@gismo:~$ su -c "find /var/lib/xdm/"
Password:
/var/lib/xdm/
/var/lib/xdm/authdir
/var/lib/xdm/authdir/authfiles
/var/lib/xdm/authdir/authfiles/A:0-6Buikn

(sid-desktop)luca@gismo:~$
=====

Attached a simple and "raw" schroot-setup script that automates the
Xauthority creation in the schroot: feel free to include it in the docs'
contrib/ folder, adapting it to your feelings.  I tested it with /home
mounted or not.

Thx, bye,
Gismo / Luca

[20xauthority (application/x-sh, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #22 received at 599518@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@codelibre.net>

To: Luca Capello <luca@pca.it>, 599518@bugs.debian.org

Cc: Thomas Koch <thomas@koch.ro>, David Laban <alsuren+debbugs@gmail.com>

Subject: Re: [buildd-tools-devel] Bug#599518: Bug#599518: schroot: feature request: ssh-like -X option

Date: Sun, 22 Jan 2012 22:32:26 +0000

On Wed, Nov 23, 2011 at 04:43:34PM +0100, Luca Capello wrote:
> Attached a simple and "raw" schroot-setup script that automates the
> Xauthority creation in the schroot: feel free to include it in the docs'
> contrib/ folder, adapting it to your feelings.  I tested it with /home
> mounted or not.

This definitely looks useful for setups where you are running
as a different user inside the chroot.  Looking at your script,
it's making some assumptions which would be fairly easy to
correct.

  HOME_AUTH_USER="/home/${AUTH_USER}"

"getent passwd "${AUTH_USER}" | cut -d : -f 6"
would be a solution here.  It still doesn't cope with $HOME
being set, but it doesn't assume the home directory is in
/home--it gets the real one from the passwd file.

This also avoids the need to check if /home is bind mounted--
we can just check if the source Xauthority is visible inside
the chroot.  Also note that the AUTH_HOME is the home directory
of the user *inside* the chroot, not the outside.  On the
outside, this is the home directory of the AUTH_RUSER (remote user
in PAM terms).  So on the host you must only look at the Xauthority
in the home directory of the AUTH_RUSER, or else you'd have the
ability to steal the credentials of that user.

I would also skip the creation of a missing home directory inside
the chroot.  Just warn and exit successfully--this will be
handled later.  Given the assumptions about the naming of the
home directory, this is dangerous.

I would suggest limiting this to a simple xauth call + chown
(including the group, AUTH_GID), and just warn if either fail.

I'll be happy to include this in schroot if you could possibly
address the above points, which will make it more secure and
robust.


Many thanks,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Message #27 received at 599518@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@codelibre.net>

To: Luca Capello <luca@pca.it>, 599518@bugs.debian.org

Cc: Thomas Koch <thomas@koch.ro>, David Laban <alsuren+debbugs@gmail.com>

Subject: Re: Bug#599518: [buildd-tools-devel] Bug#599518: Bug#599518: schroot: feature request: ssh-like -X option

Date: Tue, 29 May 2012 00:14:08 +0100

On Sun, Jan 22, 2012 at 10:32:26PM +0000, Roger Leigh wrote:
> On Wed, Nov 23, 2011 at 04:43:34PM +0100, Luca Capello wrote:
> > Attached a simple and "raw" schroot-setup script that automates the
> > Xauthority creation in the schroot: feel free to include it in the docs'
> > contrib/ folder, adapting it to your feelings.  I tested it with /home
> > mounted or not.
> 
> This definitely looks useful for setups where you are running
> as a different user inside the chroot.  Looking at your script,
> it's making some assumptions which would be fairly easy to
> correct.
> 
>   HOME_AUTH_USER="/home/${AUTH_USER}"
> 
> "getent passwd "${AUTH_USER}" | cut -d : -f 6"
> would be a solution here.  It still doesn't cope with $HOME
> being set, but it doesn't assume the home directory is in
> /home--it gets the real one from the passwd file.
> 
> This also avoids the need to check if /home is bind mounted--
> we can just check if the source Xauthority is visible inside
> the chroot.  Also note that the AUTH_HOME is the home directory
> of the user *inside* the chroot, not the outside.  On the
> outside, this is the home directory of the AUTH_RUSER (remote user
> in PAM terms).  So on the host you must only look at the Xauthority
> in the home directory of the AUTH_RUSER, or else you'd have the
> ability to steal the credentials of that user.
> 
> I would also skip the creation of a missing home directory inside
> the chroot.  Just warn and exit successfully--this will be
> handled later.  Given the assumptions about the naming of the
> home directory, this is dangerous.
> 
> I would suggest limiting this to a simple xauth call + chown
> (including the group, AUTH_GID), and just warn if either fail.
> 
> I'll be happy to include this in schroot if you could possibly
> address the above points, which will make it more secure and
> robust.

Hi,

Just a reminder that I would be very happy to include this in schroot
for wheezy.  I do, however, need the above points addressing in order
for the script to be safe and robust enough for inclusion.  If you
have the time to update this in the next week or so, I'll be happy to
review and add it.

The latest version of schroot is in git on alioth, and the lastest
development snapshot is here:
  http://people.debian.org/~rleigh/schroot/


Many thanks,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

Send a report that this bug log contains spam.