[buildd-tools-devel] Bug#810248: Bug#810248: sbuild: experimental sbuild breaks building in squeeze chroot due to build directory having setgid bit

Johannes Schauer josch at debian.org
Fri Jan 8 12:00:04 UTC 2016 

Hi,

Quoting Raphaël Hertzog (2016-01-07 17:34:55)
> Package: sbuild
> Version: 0.67.0-2.0~exp2
> Severity: important
> 
> I just tried to build a package for squeeze-lts and got this failure:
> 
> [...]
> Check dependencies
> ------------------
> 
> Merged Build-Depends: build-essential, fakeroot
> Filtered Build-Depends: build-essential, fakeroot
> dpkg-deb: control directory has bad permissions 2775 (must be >=0755 and <=0775)
> dpkg-deb: building package `sbuild-build-depends-core-dummy' in `/<<BUILDDIR>>/resolver-lxgIE7/apt_archive/sbuild-build-depends-core-dummy.deb'.
> Dummy package creation failed
> 
> +------------------------------------------------------------------------------+
> | Cleanup                                                                      |
> +------------------------------------------------------------------------------+
> 
> Purging /<<BUILDDIR>>
> Not cleaning session: cloned chroot in use
> E: Core build dependencies not satisfied; skipping
> 
> 
> Effectively I see this:
> $ ls -al /var/lib/sbuild/build/
> total 8
> drwxrws--- 2 sbuild sbuild 4096 janv.  7 17:27 .
> drwxrws--- 4 sbuild sbuild 4096 oct.  26  2014 ..
> 
> 
> Same problem happens with build in wheezy. Jessie is fine though.
> 
> Newer dpkg cope better with that apparently... but I don't think that the
> "setgid" bit is necessary here.

I'm not sure unfortunately...

So when creating the chroot sbuild will execute the following inside the
chroot:

    $ mkdir -m 0775 /build
    $ chown sbuild:sbuild /build
    $ chmod 02770 /build

This will result in build directory having permissions rwxrws---. I do not know
why the suid bit is necessary here and funnily doing the following:

    $ chmod 00770 /build

Will not remove the suid bit. I'm quite puzzled about this. The only way I
found to remove the bit is to do:

    $ chmod ug=rwx,o=,a-s /build

Though sbuild generally seems to use octal mode. Maybe using mode in chmod
should be dropped in favour of the symbolic mode for easier readability? Also
because apparently octal mode is not able to clear the suid bit for a weird
reason?

Thanks a lot for testing the version in experimental!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20160108/85ab08bc/attachment.sig>

More information about the Buildd-tools-devel mailing list