Debian Bug report logs - #608840
--chroot-setup-commands does not run as root

version graph

Package: sbuild; Maintainer for sbuild is Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>; Source for sbuild is src:sbuild.

Reported by: Kees Cook <kees@debian.org>

Date: Mon, 3 Jan 2011 22:06:02 UTC

Severity: normal

Merged with 607228

Found in versions sbuild/0.60.7-1, sbuild/0.60.8-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Mon, 03 Jan 2011 22:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
New Bug report received and forwarded. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Mon, 03 Jan 2011 22:06:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: Debian Bugs <submit@bugs.debian.org>
Subject: --chroot-setup-commands does not run as root
Date: Mon, 3 Jan 2011 14:04:27 -0800
Package: sbuild
Version: 0.60.8-1
Severity: normal
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu natty

Hi,

With the deprecation of --setup-hook in favor of --chroot-setup-commands,
it seems that the root uid was dropped when executing. Now I am just my
regular user, and cannot do the work I need to do with this hook (i.e. I
cannot modify the apt sources.list etc).

For example:
$ sbuild --chroot-setup-commands /tmp/where-am-i.sh -A -d natty-amd64 hello_2.6-1.dsc
...
┌──────────────────────────────────────────────────────────────────────────────┐
│ Chroot Setup Commands
│
└──────────────────────────────────────────────────────────────────────────────┘


/tmp/where-am-i.sh
──────────────────

+ id
uid=501(kees) gid=501(kees)
groups=501(kees),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(lpadmin),105(scanner),106(admin),109(sbuild),116(fuse),126(mythtv),132(sambashare),134(libvirtd),4000(house),4001(inkscape)
+ ls -lda /
drwxr-xr-x 26 root root 4096 Jan  3 13:59 /

I: Finished running '/tmp/where-am-i.sh'.

Finished processing commands.


I'm in the chroot, but not the root user.

Thanks,


-Kees

-- 
Kees Cook                                            @debian.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Mon, 03 Jan 2011 22:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Mon, 03 Jan 2011 22:24:07 GMT) Full text and rfc822 format available.

Message #10 received at 608840@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Kees Cook <kees@debian.org>, 608840@bugs.debian.org
Cc: 607228@bugs.debian.org, Andres Mejia <mcitadel@gmail.com>
Subject: Re: [buildd-tools-devel] Bug#608840: --chroot-setup-commands does not run as root
Date: Mon, 3 Jan 2011 22:21:14 +0000
[Message part 1 (text/plain, inline)]
forcemerge 608840 607228
thanks

On Mon, Jan 03, 2011 at 02:04:27PM -0800, Kees Cook wrote:
> With the deprecation of --setup-hook in favor of --chroot-setup-commands,
> it seems that the root uid was dropped when executing. Now I am just my
> regular user, and cannot do the work I need to do with this hook (i.e. I
> cannot modify the apt sources.list etc).

I think this is probably the same issue as #607228.

I haven't yet seen why it's not running as root though.  Ah, looks
like in Sbuild::Build::run_command (called from run_external_commands)
we only run as root /outside/ the chroot.

I'd just like to check with Andres what the intention is here.
Should chroot-(setup|cleanup)-commands be run as root?  Should we
provide an alternative set of hooks so that one set runs as root,
one as the user (with --setup-hook running as root)?


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
[signature.asc (application/pgp-signature, inline)]

Forcibly Merged 607228 608840. Request was from Roger Leigh <rleigh@codelibre.net> to control@bugs.debian.org. (Mon, 03 Jan 2011 22:24:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Tue, 25 Jan 2011 19:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Tue, 25 Jan 2011 19:18:03 GMT) Full text and rfc822 format available.

Message #17 received at 608840@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: 608840@bugs.debian.org, Andres Mejia <mcitadel@gmail.com>, Roger Leigh <rleigh@codelibre.net>, Sam Hartman <hartmans@debian.org>
Subject: work-around for --chroot-setup-commands not running as root
Date: Tue, 25 Jan 2011 11:14:58 -0800
Here's my brute-force workaround that seems to do the trick until a
different solution is found:

--- /usr/share/perl5/Sbuild/Build.pm~	2011-01-25 11:12:08.530607467 -0800
+++ /usr/share/perl5/Sbuild/Build.pm	2011-01-25 11:12:17.700853946 -0800
@@ -842,7 +842,7 @@
 	    $err = $defaults->{'STREAMERR'} if ($log_error);
 	    $self->get('Session')->run_command(
 		{ COMMAND => \@{$command},
-		    USER => $self->get_conf('USERNAME'),
+		    USER => 'root',
 		    PRIORITY => 0,
 		    STREAMOUT => $out,
 		    STREAMERR => $err,


-- 
Kees Cook                                            @debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Sat, 13 Oct 2012 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Sat, 13 Oct 2012 15:15:03 GMT) Full text and rfc822 format available.

Message #22 received at 608840@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: 608840@bugs.debian.org
Subject: Re: --chroot-setup-commands does not run as root
Date: Sat, 13 Oct 2012 17:10:25 +0200
[Message part 1 (text/plain, inline)]
Version: 0.63.2-1

Hi,

any news on this bug? I’d really like to have a way to modify the
schroot session that sbuild starts before the build.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Wed, 19 Jun 2013 16:30:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wookey <wookey@wookware.org>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Wed, 19 Jun 2013 16:30:09 GMT) Full text and rfc822 format available.

Message #27 received at 608840@bugs.debian.org (full text, mbox):

From: Wookey <wookey@wookware.org>
To: Joachim Breitner <nomeata@debian.org>, 608840@bugs.debian.org
Subject: Re: [buildd-tools-devel] Bug#608840: --chroot-setup-commands does not run as root
Date: Wed, 19 Jun 2013 17:27:02 +0100
[Message part 1 (text/plain, inline)]
+++ Joachim Breitner [2012-10-13 17:10 +0200]:
> Version: 0.63.2-1
> 
> Hi,
> 
> any news on this bug? I’d really like to have a way to modify the
> schroot session that sbuild starts before the build.

Here's a patch against current git/0.64.0 which does the following:
renames 'chroot-setup-commands' to 'chroot-user-setup-commands'
Adds 'chroot-system-setup-commands' which runs as soon as the chroot
is set-up, so before the 'update' phase and thus useul for adding
repos. That command is run as root.
The cleanup command is now run as root too. (I decided not to add a
matching 'system' cleanup coammnd as they'd both run at the same time
and this seemed kind of pointless: we have enough options already.

Adds some info to the sbuild man-page about which commands are run
outside the chroot, which inside, which as root, which as build user.

It also includes slightly half-arsed and not tested extra substitution
tokens for hostarch and chrootpath so that these could be passed to
commands. However I couldn't actually work out how to find the chroot
path so that bit is still 'fixme'. This part probably doesn't work, if
at all (My tests with %substitutions didn't seem to work at all even
with the existing code...)

This stuff solves my immediate problem but I'm not sure that it's the
best answer.

Is there actually a good reason for running the current
'chroot-setup-commands' ('chroot-user-setup-commands' above) and
'chroot-cleanup-commands' as the build user? Does anyone use this
functionality? Is it part of the sbuild security model?

Is it useful to have hooks both before update
(chroot-system-setup-commands) and after update/dependency install
(chroot-user-setup-commands)? I can only think of uses for
'chroot-system-setup-commands', but then I'm not a typical sbuild user.

Should we just keep it to 4 scripts setup/cleanup internal/external
all run as root and as early/late as possible?

And I've left '--setup-hook' as replaced by
--chroot-user-setup-commands, but maybe it would be better if it was
now replaced by --chroot-system-setup-commands given the complaint in
#608840 that it used to run as root?

Or, now that I've written the code, should we just have the five
commands as described on the man page:

The 'pre/post-build-' commands are run external to the chroot. The
'chroot-setup-' commands are run inside the chroot. They are all 
run as root except 'chroot-system-setup-' commands.

Here is a summary of the ordering, user, internal/external, and point
of running:
--pre-build-commands           root  ext  after chroot session setup
--chroot-system-setup-commands root  int  after chroot initialisation, before 'update'
--chroot-user-setup-commands   user  int  after update and dependency-install, before build
--chroot-cleanup-commands      root  int  after build, before session is closed
--post-build-commands          root  ext  after session is shut down

(Input on those descriptions welcome)

Patch attached. 

Wookey
-- 
Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/
[sbuild-0.64.0-chroot-system-setup-command.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Tue, 01 Oct 2013 13:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wookey <wookey@wookware.org>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Tue, 01 Oct 2013 13:18:05 GMT) Full text and rfc822 format available.

Message #32 received at 608840@bugs.debian.org (full text, mbox):

From: Wookey <wookey@wookware.org>
To: 608840@bugs.debian.org
Subject: re: Bug#608840: --chroot-setup-commands does not run as root
Date: Tue, 1 Oct 2013 14:14:58 +0100
I have now been using this patch in production for a few months and it
has proved effective.

As there have been no comments/objections to the implementation can
this just go in the next release?

Is there a schedule for the next release? I would like to stop
maintaining this as a fork as soon as possible. We've missed Ubuntu
Saucy unfortunately.



Wookey
-- 
Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Tue, 01 Oct 2013 18:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Tue, 01 Oct 2013 18:54:04 GMT) Full text and rfc822 format available.

Message #37 received at 608840@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Wookey <wookey@wookware.org>, 608840@bugs.debian.org
Subject: Re: [buildd-tools-devel] Bug#608840: --chroot-setup-commands does not run as root
Date: Tue, 1 Oct 2013 19:51:46 +0100
On Tue, Oct 01, 2013 at 02:14:58PM +0100, Wookey wrote:
> I have now been using this patch in production for a few months and it
> has proved effective.
> 
> As there have been no comments/objections to the implementation can
> this just go in the next release?
> 
> Is there a schedule for the next release? I would like to stop
> maintaining this as a fork as soon as possible. We've missed Ubuntu
> Saucy unfortunately.

Hi Wookey,

I'm sure it can go into the next release.  If you have commit access,
please feel free to merge it if you like.

Apologies for the delay here, it's entirely my fault for dropping
the ball.  Stupid as it sounds, I bust my foot at the start of June,
spent a few days in hospital and a few weeks on crutches, but even
though I was only out of action for a couple of weeks, it's set back
all the Debian stuff I was doing by a couple of months.  I'm still
catching up with things.

I'm just getting a couple of schroot releases (1.6.6 and 1.7.1) ready
now, which I've been working on for the last couple of weeks.  Should
be done in the next day or so.  As soon as I draw a line under that,
it's sbuild's turn for attention, and I'll merge all the outstanding
patches and tackle a bunch of the most important open bugs.  So I would
estimate that we should have an upload in the next week or two
depending on the amount of work and testing which needs doing.


Sorry about that,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800



Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Wed, 06 Nov 2013 15:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wookey <wookey@wookware.org>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Wed, 06 Nov 2013 15:12:04 GMT) Full text and rfc822 format available.

Message #42 received at 608840@bugs.debian.org (full text, mbox):

From: Wookey <wookey@wookware.org>
To: Roger Leigh <rleigh@codelibre.net>, 608840@bugs.debian.org
Subject: Re: [buildd-tools-devel] Bug#608840: --chroot-setup-commands does not run as root
Date: Wed, 6 Nov 2013 15:08:59 +0000
+++ Roger Leigh [2013-10-01 19:51 +0100]:
> On Tue, Oct 01, 2013 at 02:14:58PM +0100, Wookey wrote:
> > I have now been using this patch in production for a few months and it
> > has proved effective.
> > 
> > As there have been no comments/objections to the implementation can
> > this just go in the next release?
> > 
> > Is there a schedule for the next release? I would like to stop
> > maintaining this as a fork as soon as possible. We've missed Ubuntu
> > Saucy unfortunately.
> 
> Hi Wookey,
> 
> I'm sure it can go into the next release.  If you have commit access,
> please feel free to merge it if you like.

I don't believe I have commit access. If you give it to me I'll try to do this.

> Apologies for the delay here

> I'm just getting a couple of schroot releases (1.6.6 and 1.7.1) ready
> now, which I've been working on for the last couple of weeks.  Should
> be done in the next day or so.  As soon as I draw a line under that,
> it's sbuild's turn for attention, and I'll merge all the outstanding
> patches and tackle a bunch of the most important open bugs.  So I would
> estimate that we should have an upload in the next week or two
> depending on the amount of work and testing which needs doing.

Where is this bug at? I've seen a couple of sbuild releases go by, but
not including this fix, which is a simple one so I was hoping to see it
in.

I've just come across another use-case, where I am using a qemu-based
chroot to 'debianise' an ubuntu chroot as a new-arch buildd bootstrap
process. That needs a script run as root inside the chroot before the
update to sync the tarball image up to dpkg -i the set of
already-debianised packages. (apt prefs and a repo wouldn't work as some
extra hackery is required due to distro differences (e.g flex is two
packages in Ubuntu, but one in debian curreently).

OK this is a bit obscure, but it's just another example of 'I need to run
a script as root inside the chroot once it is set up'.

Wookey
-- 
Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#608840; Package sbuild. (Wed, 06 Nov 2013 16:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Leigh <rleigh@codelibre.net>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Wed, 06 Nov 2013 16:42:04 GMT) Full text and rfc822 format available.

Message #47 received at 608840@bugs.debian.org (full text, mbox):

From: Roger Leigh <rleigh@codelibre.net>
To: Wookey <wookey@wookware.org>, 608840@bugs.debian.org
Subject: Re: [buildd-tools-devel] Bug#608840: Bug#608840: --chroot-setup-commands does not run as root
Date: Wed, 6 Nov 2013 16:39:39 +0000
On Wed, Nov 06, 2013 at 03:08:59PM +0000, Wookey wrote:
> +++ Roger Leigh [2013-10-01 19:51 +0100]:
> > On Tue, Oct 01, 2013 at 02:14:58PM +0100, Wookey wrote:
> > > I have now been using this patch in production for a few months and it
> > > has proved effective.
> > > 
> > > As there have been no comments/objections to the implementation can
> > > this just go in the next release?
> > > 
> > > Is there a schedule for the next release? I would like to stop
> > > maintaining this as a fork as soon as possible. We've missed Ubuntu
> > > Saucy unfortunately.
> > 
> > Hi Wookey,
> > 
> > I'm sure it can go into the next release.  If you have commit access,
> > please feel free to merge it if you like.
> 
> I don't believe I have commit access. If you give it to me I'll try to do this.

If you add yourself to the "buildd-tools" alioth project, I can
add you as a team member, which will give you commit access.

> > Apologies for the delay here
> 
> > I'm just getting a couple of schroot releases (1.6.6 and 1.7.1) ready
> > now, which I've been working on for the last couple of weeks.  Should
> > be done in the next day or so.  As soon as I draw a line under that,
> > it's sbuild's turn for attention, and I'll merge all the outstanding
> > patches and tackle a bunch of the most important open bugs.  So I would
> > estimate that we should have an upload in the next week or two
> > depending on the amount of work and testing which needs doing.
> 
> Where is this bug at? I've seen a couple of sbuild releases go by, but
> not including this fix, which is a simple one so I was hoping to see it
> in.

It's the next thing on my todo list, and I can only apologise for
the delay.  Time for Debian stuff has been sorely lacking the last
month or so.  If you're happy to rebase/merge your work onto the
current git master and push it once you have access, you are welcome
to do so.

> I've just come across another use-case, where I am using a qemu-based
> chroot to 'debianise' an ubuntu chroot as a new-arch buildd bootstrap
> process. That needs a script run as root inside the chroot before the
> update to sync the tarball image up to dpkg -i the set of
> already-debianised packages. (apt prefs and a repo wouldn't work as some
> extra hackery is required due to distro differences (e.g flex is two
> packages in Ubuntu, but one in debian curreently).
> 
> OK this is a bit obscure, but it's just another example of 'I need to run
> a script as root inside the chroot once it is set up'.

This is definitely useful to be able to support.  In general, I do
worry a bit about adding such interfaces since they do allow the
invoking user to run arbitrary stuff as root in the chroot,
something which we've spent some years trying to isolate to limit
the scope of what a normal user can do.  But in the common case
this is all being done on the user's own machine.  However, I
would like, longer-term, to be able to securely isolate the
build environment completely from the user; this is certainly
something an improved permissions model could cater for though.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 02:07:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.