[buildd-tools-devel] Bug#608414: Bug#608414: missing umask thing in sbuild-createchroot?

Roger Leigh rleigh at codelibre.net
Thu Dec 30 19:09:04 UTC 2010 

tags 608414 + patch
thanks

On Thu, Dec 30, 2010 at 07:47:32PM +0100, Cyril Brulebois wrote:
> Roger Leigh <rleigh at codelibre.net> (30/12/2010):
> > Not sure why this is so restrictive initially.  I think it was
> > probably to prevent any access to the chroot environment except via
> > sudo/schroot, but the security is minimal at best and probably
> > entirely pointless.  I certainly have 0755 perms on all my chroots.
> 
> And while we're at it, what about chroot configuration files?
> | $ ls -l /etc/schroot/chroot.d
> | total 8
> | -rw------- 1 root root 216 Dec 30 19:26 experimental-amd64-sbuild
> | -rw------- 1 root root 189 Dec 30 19:27 sid-amd64-sbuild
> 
> Not sure they should be rw for the sbuild group; but at least readable
> by anyone shouldn't hurt..

Yes, this isn't by design (it's the default behaviour of File::Temp,
which doesn't look like it can be changed, though you can change it
after creation).  You can also dump the configuration with
"schroot --config" anyway, so the restrictive permissions don't really
help.

The file does contain information about who might have root access, so
it could be argued it shouldn't be readable by all (or even 0440 like
/etc/sudoers), but this would require --config to strip out the
security information when run by a non-privileged user as a
prerequisite.

diff --git a/bin/sbuild-createchroot b/bin/sbuild-createchroot
index 6273f07..cd09b09 100755
--- a/bin/sbuild-createchroot
+++ b/bin/sbuild-createchroot
@@ -324,6 +324,7 @@ if (-d "/etc/schroot/chroot.d") {
 
 # Display schroot configuration.
 print "I: schroot chroot configuration written to $SCHROOT_CONF.\n";
+chmod 0644, "$SCHROOT_CONF";
 dump_file("$SCHROOT_CONF");
 print "I: Please rename and modify this file as required.\n";
 print $personality_message if $personality_message;


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101230/3b7bf345/attachment-0001.pgp>

More information about the Buildd-tools-devel mailing list