From a78bdb841dbe7839c8afd7184d821ed42dd334cc Mon Sep 17 00:00:00 2001
From: Dave Reisner <dreisner@archlinux.org>
Date: Sun, 21 Sep 2014 15:03:28 -0400
Subject: [PATCH] makechrootpkg: build as same UID as invoker

Changing UID to that of 'nobody' is arbitrary at best, and an
information leak at worst. Let's just drop back to the same UID of the
invoker.
---
 makechrootpkg.in | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/makechrootpkg.in b/makechrootpkg.in
index 8bc18a4..b82c2a2 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -234,7 +234,13 @@ prepare_chroot() {
 		echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
 	fi
 
-	chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
+	builduser_uid=${SUDO_UID:-$UID}
+
+	# We can't use useradd without chrooting, otherwise it invokes PAM modules
+	# which we might not be able to load (i.e. when building i686 packages on
+	# an x86_64 host).
+	printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd"
+	chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
 
 	if [[ -n $MAKEFLAGS ]]; then
 		sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
@@ -246,12 +252,12 @@ prepare_chroot() {
 		echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
 	fi
 
-	if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then
-		cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF
+	if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
+		cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
 Defaults env_keep += "HOME"
-nobody ALL = NOPASSWD: /usr/bin/pacman
+builduser ALL = NOPASSWD: /usr/bin/pacman
 EOF
-		chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
+		chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
 	fi
 
 	# This is a little gross, but this way the script is recreated every time in the
@@ -302,7 +308,7 @@ _chrootbuild() {
 			for vcsdir in */.$vcs; do
 				rm "${vcsdir%/.$vcs}"
 				cp -a "${dir}_host/${vcsdir%/.$vcs}" .
-				chown -R nobody "${vcsdir%/.$vcs}"
+				chown -R builduser "${vcsdir%/.$vcs}"
 			done
 		done
 	done
@@ -312,7 +318,7 @@ _chrootbuild() {
 	# XXX: Keep PKGBUILD writable for pkgver()
 	rm PKGBUILD*
 	cp /startdir_host/PKGBUILD* .
-	chown nobody PKGBUILD*
+	chown builduser PKGBUILD*
 
 	# Safety check
 	if [[ ! -w PKGBUILD ]]; then
@@ -320,13 +326,13 @@ _chrootbuild() {
 		exit 1
 	fi
 
-	sudo -u nobody makepkg $makepkg_args || exit 1
+	sudo -u builduser makepkg $makepkg_args || exit 1
 
 	if $run_namcap; then
 		pacman -S --needed --noconfirm namcap
 		for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
 			echo "Checking ${pkgfile##*/}"
-			sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+			sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
 		done
 	fi
 
-- 
GitLab