[buildd-tools-devel] schroot

Geoffrey Thomas geofft at ldpreload.com
Tue Oct 8 06:29:42 UTC 2013 

On Tue, 8 Oct 2013, shawn wilson wrote:

> This is at the top of every schroot config file, but I can't find it 
> documented:
>
> . "$SETUP_DATA_DIR/common-data"
> . "$SETUP_DATA_DIR/common-functions"
> . "$SETUP_DATA_DIR/common-config"
>
> Where is this being sourced from (ie, where is the 'common-data' file?) 
> and (more important) where is this documented?

I can't seem to find documentation, but `git grep SETUP_DATA_DIR` inside 
the schroot git tree finds me these matches (as well as all the setup.d 
files, and one match in the Makefile generation):

sbuild/sbuild-session.cc:1090:  env.add("SETUP_DATA_DIR", SCHROOT_SETUP_DATA_DIR);
scripts/global.mk:53:-DSCHROOT_SETUP_DATA_DIR=\"$(schroot_setupdatadir)\" \

So it's exported into the environment in the session class out of a C 
preprocessor macro, which is in turn defined by the build process. In 
particular it seems to end up being /usr/share/schroot/setup on Debian.

`dpkg -L schroot | grep common` is another way to answer this.

> Also, maybe not an issue with schroot, but when I try to strace it, it
> won't authenticate where this otherwise works (yeah, I'm trying to
> figure out what those variables do without digging through source -
> probably stupid not to just look at the code but whatever):
> % strace -f -s 1024 -e trace=stat64,read,write schroot -c test -- ls
> / 2>&1 | tail -5
> write(2, "E: ", 3E: )                      = 3
> write(2, "PAM error: Authentication service cannot retrieve
> authentication info", 69PAM error: Authentication service cannot
> retrieve authentication info) = 69
> write(2, "\n", 1
> )                       = 1
> +++ exited with 1 +++

schroot is setuid root, so that it can run the chroot syscall for you, and 
it's responsible for checking whether you're authorized to do that. strace 
uses ptrace, a debugging facility, which is not allowed for setuid 
applications to prevent you from reading or writing privileged data (an 
obvious attack here would be using a more full-featured debugger like gdb 
to bypass the authorization check).

If this is your own machine and you have root, there are some workarounds 
that I've used when debugging setuid executables (I think including 
schroot) in the past. You can just run everything as root, which should 
work for your current use case but isn't a great general-purpose answer. 
You can attach to the process later with `sudo strace -p <pid>`; pausing 
the process with Ctrl-Z might make it easier to catch it before it exits, 
but also not a great general-purpose answer. Finally, you could try some 
contortion like `sudo strace sudo -u $USER schroot -c test`, or similarly 
with su.

-- 
Geoffrey Thomas
http://ldpreload.com
geofft at ldpreload.com

More information about the Buildd-tools-devel mailing list