Skip to content
Snippets Groups Projects
Commit a78bdb84 authored by Dave Reisner's avatar Dave Reisner
Browse files

makechrootpkg: build as same UID as invoker 

Changing UID to that of 'nobody' is arbitrary at best, and an
information leak at worst. Let's just drop back to the same UID of the
invoker.
parent 12a13006
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 15 additions and 9 deletions
makechrootpkg.in
+ 15
9
View file @ a78bdb84
...@@ -234,7 +234,13 @@ prepare_chroot() { ...@@ -234,7 +234,13 @@ prepare_chroot() {
echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf" echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
fi fi
chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir} builduser_uid=${SUDO_UID:-$UID}
# We can't use useradd without chrooting, otherwise it invokes PAM modules
# which we might not be able to load (i.e. when building i686 packages on
# an x86_64 host).
printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd"
chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
if [[ -n $MAKEFLAGS ]]; then if [[ -n $MAKEFLAGS ]]; then
sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf" sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
...@@ -246,12 +252,12 @@ prepare_chroot() { ...@@ -246,12 +252,12 @@ prepare_chroot() {
echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf" echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
fi fi
if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
Defaults env_keep += "HOME" Defaults env_keep += "HOME"
nobody ALL = NOPASSWD: /usr/bin/pacman builduser ALL = NOPASSWD: /usr/bin/pacman
EOF EOF
chmod 440 "$copydir/etc/sudoers.d/nobody-pacman" chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
fi fi
# This is a little gross, but this way the script is recreated every time in the # This is a little gross, but this way the script is recreated every time in the
...@@ -302,7 +308,7 @@ _chrootbuild() { ...@@ -302,7 +308,7 @@ _chrootbuild() {
for vcsdir in */.$vcs; do for vcsdir in */.$vcs; do
rm "${vcsdir%/.$vcs}" rm "${vcsdir%/.$vcs}"
cp -a "${dir}_host/${vcsdir%/.$vcs}" . cp -a "${dir}_host/${vcsdir%/.$vcs}" .
chown -R nobody "${vcsdir%/.$vcs}" chown -R builduser "${vcsdir%/.$vcs}"
done done
done done
done done
...@@ -312,7 +318,7 @@ _chrootbuild() { ...@@ -312,7 +318,7 @@ _chrootbuild() {
# XXX: Keep PKGBUILD writable for pkgver() # XXX: Keep PKGBUILD writable for pkgver()
rm PKGBUILD* rm PKGBUILD*
cp /startdir_host/PKGBUILD* . cp /startdir_host/PKGBUILD* .
chown nobody PKGBUILD* chown builduser PKGBUILD*
# Safety check # Safety check
if [[ ! -w PKGBUILD ]]; then if [[ ! -w PKGBUILD ]]; then
...@@ -320,13 +326,13 @@ _chrootbuild() { ...@@ -320,13 +326,13 @@ _chrootbuild() {
exit 1 exit 1
fi fi
sudo -u nobody makepkg $makepkg_args || exit 1 sudo -u builduser makepkg $makepkg_args || exit 1
if $run_namcap; then if $run_namcap; then
pacman -S --needed --noconfirm namcap pacman -S --needed --noconfirm namcap
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
echo "Checking ${pkgfile##*/}" echo "Checking ${pkgfile##*/}"
sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log" sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
done done
fi fi
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment