[buildd-tools-devel] Bug#675512: Bug#675512: schroot: running an existing session as a user other than whom the session begun

Roger Leigh rleigh at codelibre.net
Fri Jun 1 18:48:30 UTC 2012 

On Fri, Jun 01, 2012 at 07:57:31PM +0200, SZABO Zsolt wrote:
> On lenny I used to begin a chroot-session at boot (as root) and than
> the normal user "attach" to this session to run the programs in the session:
> user:$ schroot -r -c started_chroot_session -p
> 
> I used this method instead "schroot -c chroot_session -p" thus the symlinks
> are created only once even when attaching not only one user but 10 or more
> at the same time.
> 
> However, this does not work on squeezy: I always get the message
> "Access not authorized". A line is also written in the auth.log:
> schroot: user -> user Unathorized
> 
> Possibly it is a pam related situation (feature or bug, I do not know..),
> however, I do not know either how to solve or get back the original way of
> operation.

This is due to a change in behaviour to make schroot more secure.
When you create a session, only the user creating the session is
granted access:

% schroot -V
schroot (Debian sbuild) 1.5.4 (29 May 2012)
...

(This is the current version in testing/unstable.  It's slightly
different to the squeeze version in that the example below uses
namespaces, but the permissions checking is the same.)

# schroot -b -n testg -c unstable-amd64-sbuild
testg

# schroot -r -c testg -d / -- ls
bin   build  etc   lib	  media  opt   root  sbin     srv  tmp	var
boot  dev    home  lib64  mnt	 proc  run   selinux  sys  usr

% schroot -i -c chroot:unstable-amd64-sbuild
  ─── Chroot ───
  Name                      sid-amd64-sbuild
  Users                     
  Groups                    root sbuild
  Root Users                
  Root Groups               root sbuild
...
  Source Users              
  Source Groups             root sbuild
  Source Root Users         
  Source Root Groups        root sbuild


% schroot -i -c session:testg 
  ─── Session ───
  Name                   testg
  Users                  
  Groups                 
  Root Users             root
  Root Groups            
....

So you can see that in this case, because root created the session,
only root is in the root user list in the session; all the other
users and groups were removed.

This is secure, but it's also restrictive, as you've found.  I'd like
to allow the chroot owner to have some way to grant other users/groups
permission to use it.  We just need a sensible way to do this by e.g.
adding a command-line option to specify this.  We might be able to use
the new --option option for this.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

More information about the Buildd-tools-devel mailing list