[Pkg-ltsp-devel] Bug#840667: ltsp-build-client fails at apt update call

Vagrant Cascadian vagrant at debian.org
Sun Nov 27 00:13:16 UTC 2016 

Control: retitle 840667 ltsp-build-client: incorrect /tmp permissions when TMP/TMPDIR are set
Control: tags 840667 +pending

On 2016-10-14, Wolfgang Schweer wrote:
> On Thu, Oct 13, 2016 at 06:41:53PM +0200, Wolfgang Schweer wrote:
>> I have no idea where the wrong permissions come from.

Apparently, this is because 005-tmpdir runs before debootstrap, and
creates the directories referenced by TMP and TMPDIR (usually created by
something like libpam-tmpdir).


> This seems to be caused by ltsp-build-client/Debian/005-tmpdir; /tmp 
> inherits the wrong permissions.

I've worked around the issue upstream, and will include in an upload soon:

  https://bazaar.launchpad.net/~ltsp-upstream/ltsp/ltsp-trunk/revision/2763

I was able to recreate the problem with libpam-tmpdir installed, and the
above commit fixes the issue for me.


> With 005-tmpdir removed, installation succeeds; the chroot's /tmp dir 
> has the correct permissions 1777.
>
> Also, this seems to work:
>
> diff --git a/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir b/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
> index a18a225..d52c535 100644
> --- a/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
> +++ b/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
> @@ -7,7 +7,7 @@ case $MODE in
>                  mkdir -p "$ROOT/$dir"
>                  # set permissions of dir
>                  # FIXME: handle permissions of intermediate dirs, too
> -                chmod --reference $dir "$ROOT/$dir"
> +                chmod 1777 "$ROOT/$dir"
>              fi
>          done
>          ;;
>
>
> But either change might have sideeffects...

This would compromise the purpose of things like libpam-tmpdir, which
creates a directory only writeable by the user, and sets TMP and TMPDIR
to that directory.

There are arguably security implications using TMP and TMPDIR from
environment variables, and thus many applications unset or ignore those
variables... which leads to some programs requiring the directories be
present (with correct permissions by the user), and some not using them
at all... so not sure it's a good idea to use at all.

But at any rate, the next version should at least work around the issue.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ltsp-devel/attachments/20161126/1a43a4e6/attachment.sig>

More information about the Pkg-ltsp-devel mailing list