makechrootpkg: build as same UID as invoker
Changing UID to that of 'nobody' is arbitrary at best, and an information leak at worst. Let's just drop back to the same UID of the invoker.
This commit is contained in:
Dave Reisner
parent
12a1300694
commit
a78bdb841d
|
|
@ -234,7 +234,13 @@ prepare_chroot() {
|
||||||
echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
|
echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
|
builduser_uid=${SUDO_UID:-$UID}
|
||||||
|
|
||||||
|
# We can't use useradd without chrooting, otherwise it invokes PAM modules
|
||||||
|
# which we might not be able to load (i.e. when building i686 packages on
|
||||||
|
# an x86_64 host).
|
||||||
|
printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd"
|
||||||
|
chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
|
||||||
|
|
||||||
if [[ -n $MAKEFLAGS ]]; then
|
if [[ -n $MAKEFLAGS ]]; then
|
||||||
sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
|
sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
|
||||||
|
|
@ -246,12 +252,12 @@ prepare_chroot() {
|
||||||
echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
|
echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then
|
if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
|
||||||
cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF
|
cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
|
||||||
Defaults env_keep += "HOME"
|
Defaults env_keep += "HOME"
|
||||||
nobody ALL = NOPASSWD: /usr/bin/pacman
|
builduser ALL = NOPASSWD: /usr/bin/pacman
|
||||||
EOF
|
EOF
|
||||||
chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
|
chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# This is a little gross, but this way the script is recreated every time in the
|
# This is a little gross, but this way the script is recreated every time in the
|
||||||
|
|
@ -302,7 +308,7 @@ _chrootbuild() {
|
||||||
for vcsdir in */.$vcs; do
|
for vcsdir in */.$vcs; do
|
||||||
rm "${vcsdir%/.$vcs}"
|
rm "${vcsdir%/.$vcs}"
|
||||||
cp -a "${dir}_host/${vcsdir%/.$vcs}" .
|
cp -a "${dir}_host/${vcsdir%/.$vcs}" .
|
||||||
chown -R nobody "${vcsdir%/.$vcs}"
|
chown -R builduser "${vcsdir%/.$vcs}"
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
@ -312,7 +318,7 @@ _chrootbuild() {
|
||||||
# XXX: Keep PKGBUILD writable for pkgver()
|
# XXX: Keep PKGBUILD writable for pkgver()
|
||||||
rm PKGBUILD*
|
rm PKGBUILD*
|
||||||
cp /startdir_host/PKGBUILD* .
|
cp /startdir_host/PKGBUILD* .
|
||||||
chown nobody PKGBUILD*
|
chown builduser PKGBUILD*
|
||||||
|
|
||||||
# Safety check
|
# Safety check
|
||||||
if [[ ! -w PKGBUILD ]]; then
|
if [[ ! -w PKGBUILD ]]; then
|
||||||
|
|
@ -320,13 +326,13 @@ _chrootbuild() {
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sudo -u nobody makepkg $makepkg_args || exit 1
|
sudo -u builduser makepkg $makepkg_args || exit 1
|
||||||
|
|
||||||
if $run_namcap; then
|
if $run_namcap; then
|
||||||
pacman -S --needed --noconfirm namcap
|
pacman -S --needed --noconfirm namcap
|
||||||
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
|
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
|
||||||
echo "Checking ${pkgfile##*/}"
|
echo "Checking ${pkgfile##*/}"
|
||||||
sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
|
sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue