Bug#369626: [Buildd-tools-devel] Bug#369626: schroot: rm -rf in file chroot cleanup destroys real /home if umount fails

Roger Leigh rleigh at whinlatter.ukfsn.org
Wed May 31 09:53:05 UTC 2006 

tags 369626 + confirmed

Andreas Bombe <aeb at debian.org> writes:

> The session cleanup in 10mount ignores failures of umount invocations
> and cleanup continues.  In the case of file chroots with a /home bind
> mount that failed to umount, the rm -rf in 05file blindly descends into
> the system /home with obvious unpretty results.

I'm awfully sorry if this caused you to lose any data.

> The bind mount may fail to umount whenever something gets mounted under
> the bind.  In my case I was foolishly trying to rbind instead of bind
> /home in 10mount because my $HOME is a separate mount, and I wanted to
> have it available in the chroot.

I would like to use rbind, but this currently unsupported.  Please see
#354344 and #354298.

> Apart from making a failed umount abort the session cleanup, I see as
> another possible solution to rm -rf only a bind mount of the chroot to
> be sure there are no sub mounts, then umount this and only rmdir the
> actual chroot.  This would fail harmlessly if umounts failed (results
> only in a leftover session to be manually cleaned up).

There are a few possibilities here.

1) 10mount should exit with an error if umount fails.

   Caveat: if the session is ended with the setup scripts having
   failed, this would require manual cleanup by the system admin.
   This needs additional work in session::setup_chroot() in
   sbuild-session.cc, so that the session is not ended if the scripts
   fail.  This means not removing the session file from
   /var/lib/schroot/session/ on failure.

   Currently, because of the above consideration, the "setup-stop"
   phase of the session scripts can not fail.

2) 05file must check if any filesystems are mounted under the chroot
   root before running rm -rf.  Is there a portable and reliable way
   of doing this?  Would

     if mount | grep "$CHROOT_MOUNT_LOCATION"; then
       :
     else
       rm -rf "$CHROOT_MOUNT_LOCATION" || true
     fi

   be sufficient?

Due to the seriousness of the problem, I think both protective
measures should be implemented.


Regards,
Roger

-- 
Roger Leigh
                Printing on GNU/Linux?  http://gutenprint.sourceforge.net/
                Debian GNU/Linux        http://www.debian.org/
                GPG Public Key: 0x25BFB848.  Please sign and encrypt your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20060531/9252a862/attachment.pgp

More information about the Buildd-tools-devel mailing list