[buildd-tools-devel] Bug#608840: Bug#608840: --chroot-setup-commands does not run as root
Wookey
wookey at wookware.org
Wed Jun 19 16:27:02 UTC 2013
+++ Joachim Breitner [2012-10-13 17:10 +0200]:
> Version: 0.63.2-1
>
> Hi,
>
> any news on this bug? I’d really like to have a way to modify the
> schroot session that sbuild starts before the build.
Here's a patch against current git/0.64.0 which does the following:
renames 'chroot-setup-commands' to 'chroot-user-setup-commands'
Adds 'chroot-system-setup-commands' which runs as soon as the chroot
is set-up, so before the 'update' phase and thus useul for adding
repos. That command is run as root.
The cleanup command is now run as root too. (I decided not to add a
matching 'system' cleanup coammnd as they'd both run at the same time
and this seemed kind of pointless: we have enough options already.
Adds some info to the sbuild man-page about which commands are run
outside the chroot, which inside, which as root, which as build user.
It also includes slightly half-arsed and not tested extra substitution
tokens for hostarch and chrootpath so that these could be passed to
commands. However I couldn't actually work out how to find the chroot
path so that bit is still 'fixme'. This part probably doesn't work, if
at all (My tests with %substitutions didn't seem to work at all even
with the existing code...)
This stuff solves my immediate problem but I'm not sure that it's the
best answer.
Is there actually a good reason for running the current
'chroot-setup-commands' ('chroot-user-setup-commands' above) and
'chroot-cleanup-commands' as the build user? Does anyone use this
functionality? Is it part of the sbuild security model?
Is it useful to have hooks both before update
(chroot-system-setup-commands) and after update/dependency install
(chroot-user-setup-commands)? I can only think of uses for
'chroot-system-setup-commands', but then I'm not a typical sbuild user.
Should we just keep it to 4 scripts setup/cleanup internal/external
all run as root and as early/late as possible?
And I've left '--setup-hook' as replaced by
--chroot-user-setup-commands, but maybe it would be better if it was
now replaced by --chroot-system-setup-commands given the complaint in
#608840 that it used to run as root?
Or, now that I've written the code, should we just have the five
commands as described on the man page:
The 'pre/post-build-' commands are run external to the chroot. The
'chroot-setup-' commands are run inside the chroot. They are all
run as root except 'chroot-system-setup-' commands.
Here is a summary of the ordering, user, internal/external, and point
of running:
--pre-build-commands root ext after chroot session setup
--chroot-system-setup-commands root int after chroot initialisation, before 'update'
--chroot-user-setup-commands user int after update and dependency-install, before build
--chroot-cleanup-commands root int after build, before session is closed
--post-build-commands root ext after session is shut down
(Input on those descriptions welcome)
Patch attached.
Wookey
--
Principal hats: Linaro, Emdebian, Wookware, Balloonboard, ARM
http://wookware.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sbuild-0.64.0-chroot-system-setup-command.patch
Type: text/x-diff
Size: 9173 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20130619/2c1ee83b/attachment.patch>
More information about the Buildd-tools-devel
mailing list