[buildd-tools-devel] Bug#836175: Bug#836175: libsbuild-perl: Do not use single quotes in embedded perl script

Johannes Schauer josch at debian.org
Wed Oct 12 13:35:29 UTC 2016 

Hi,

On Thu, 1 Sep 2016 01:00:38 +0200 Samuel Thibault <sthibault at debian.org> wrote:
> Johannes Schauer, on Wed 31 Aug 2016 19:29:47 +0200, wrote:
> > if your setup deviates from the default, please include in your bugreport how
> > it does.
> 
> Ok, got to reproduce it easily:
> 
> # sbuild-createchroot sid /var/tmp/foo http://ftp2.fr.debian.org/debian
> # sudo sbuild-adduser samy                                          
> 
> in ~samy/.sbuildrc, just put 
> 
> $chroot_mode='sudo';
> 
> and then
> 
> sbuild -d sid foo_1.1-1
> 
> gets the issue.

sorry for the long wait. Indeed the problem is with the sudo chroot mode. The
problem should also occur with the plain chroot mode. As I pointed out in
earlier messages, the solution should not be to just replace all single quotes
by double quotes. Instead, we can apply a smarter fix by properly escaping the
command string. Here is a patch:


--- a/lib/Sbuild/ChrootSudo.pm
+++ b/lib/Sbuild/ChrootSudo.pm
@@ -25,6 +25,7 @@ package Sbuild::ChrootSudo;
 use strict;
 use warnings;
 
+use Sbuild qw(shellescape);
 use Sbuild::Sysconfig;
 
 BEGIN {
@@ -111,14 +112,10 @@ sub get_command_internal {
         my $shellcommand;
         foreach (@$command) {
             my $tmp = $_;
-            $tmp =~ s/'//g; # Strip any single quotes for security
-            if ($_ ne $tmp) {
-                $self->log_warning("Stripped single quote from command for security: $_\n");
-            }
             if ($shellcommand) {
-                $shellcommand .= " '$tmp'";
+                $shellcommand .= " " . shellescape $tmp;
             } else {
-                $shellcommand = "'$tmp'";
+                $shellcommand = shellescape $tmp;
             }
         }
         push(@cmdline, '/bin/sh', '-c', "cd '$dir' && $shellcommand");



When I try this out, then many commands seem to be executed correctly. My build
fails as soon as sbuild attempts to execute something inside the chroot not as
the root user but as the user running sbuild. So I end up getting:

User Environment
----------------

sudo: no tty present and no askpass program specified
E: read_command failed to execute env
E: unable to open pipe


So this seems to be some problem with sudo. How can I fix it? Do you run into
the same problem?  You can easily run sbuild from git using:

PERL5LIB=$SBUILDGITPATH/lib $SBUILDGITPATH/bin/sbuild --chroot-mode=sudo

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20161012/288c420f/attachment.sig>

More information about the Buildd-tools-devel mailing list