[buildd-tools-devel] Bug#675512: Bug#675512: schroot: running an existing session as a user other than whom the session begun
Roger Leigh
rleigh at codelibre.net
Fri Jun 1 18:48:30 UTC 2012
On Fri, Jun 01, 2012 at 07:57:31PM +0200, SZABO Zsolt wrote:
> On lenny I used to begin a chroot-session at boot (as root) and than
> the normal user "attach" to this session to run the programs in the session:
> user:$ schroot -r -c started_chroot_session -p
>
> I used this method instead "schroot -c chroot_session -p" thus the symlinks
> are created only once even when attaching not only one user but 10 or more
> at the same time.
>
> However, this does not work on squeezy: I always get the message
> "Access not authorized". A line is also written in the auth.log:
> schroot: user -> user Unathorized
>
> Possibly it is a pam related situation (feature or bug, I do not know..),
> however, I do not know either how to solve or get back the original way of
> operation.
This is due to a change in behaviour to make schroot more secure.
When you create a session, only the user creating the session is
granted access:
% schroot -V
schroot (Debian sbuild) 1.5.4 (29 May 2012)
...
(This is the current version in testing/unstable. It's slightly
different to the squeeze version in that the example below uses
namespaces, but the permissions checking is the same.)
# schroot -b -n testg -c unstable-amd64-sbuild
testg
# schroot -r -c testg -d / -- ls
bin build etc lib media opt root sbin srv tmp var
boot dev home lib64 mnt proc run selinux sys usr
% schroot -i -c chroot:unstable-amd64-sbuild
─── Chroot ───
Name sid-amd64-sbuild
Users
Groups root sbuild
Root Users
Root Groups root sbuild
...
Source Users
Source Groups root sbuild
Source Root Users
Source Root Groups root sbuild
% schroot -i -c session:testg
─── Session ───
Name testg
Users
Groups
Root Users root
Root Groups
....
So you can see that in this case, because root created the session,
only root is in the root user list in the session; all the other
users and groups were removed.
This is secure, but it's also restrictive, as you've found. I'd like
to allow the chroot owner to have some way to grant other users/groups
permission to use it. We just need a sensible way to do this by e.g.
adding a command-line option to specify this. We might be able to use
the new --option option for this.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
More information about the Buildd-tools-devel
mailing list