[reprotest] 03/04: main, presets: Properly drop privs when running the build. (Closes: #877813)
Ximin Luo
infinity0 at debian.org
Thu Oct 26 22:01:13 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch master
in repository reprotest.
commit e3679676c021d1ed789e898122b096759543cc18
Author: Ximin Luo <infinity0 at debian.org>
Date: Thu Oct 26 23:50:09 2017 +0200
main, presets: Properly drop privs when running the build. (Closes: #877813)
The previous method still ran the "variations" commands as root, which caused
disorderfs to be run as root, preventing the build user from reading the files.
---
debian/changelog | 1 +
reprotest/__init__.py | 14 +++++++++++---
reprotest/presets.py | 10 +---------
3 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4099380..268bddb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ reprotest (0.7.4) UNRELEASED; urgency=medium
* Hopefully fix the autopkgtest tests.
* Add a domain_host variation.
* Add a --print-sudoers feature.
+ * Properly drop privs when running the build. (Closes: #877813)
-- Ximin Luo <infinity0 at debian.org> Fri, 20 Oct 2017 12:33:21 +0200
diff --git a/reprotest/__init__.py b/reprotest/__init__.py
index 52dd1b8..1c85d71 100644
--- a/reprotest/__init__.py
+++ b/reprotest/__init__.py
@@ -5,6 +5,7 @@ import argparse
import collections
import configparser
import contextlib
+import getpass
import logging
import os
import random
@@ -75,8 +76,9 @@ def start_testbed(args, temp_dir, no_clean_on_error=False, host_distro='debian')
# path for the correct virt-server script.
server_path = get_server_path(args[0])
logging.info('STARTING VIRTUAL SERVER %r', [server_path] + args[1:])
- testbed = Testbed([server_path] + args[1:], temp_dir, None,
- host_distro=host_distro)
+ # TODO: make the user configurable, like autopkgtest
+ testbed = Testbed([server_path] + args[1:], temp_dir,
+ getpass.getuser(), host_distro=host_distro)
testbed.start()
testbed.open()
should_clean = True
@@ -198,7 +200,13 @@ class BuildContext(collections.namedtuple('_BuildContext',
logging.debug("#### BEGIN REPROTEST BUILD SCRIPT ##############################################\n" +
build_script)
logging.debug("#### END REPROTEST BUILD SCRIPT ################################################")
- testbed.check_exec2(['sh', '-ec', build_script],
+
+ if 'root-on-testbed' in testbed.caps:
+ build_argv = ['su', '-s', '/bin/sh', testbed.user, '-c', 'set -e; ' + build_script]
+ else:
+ build_argv = ['sh', '-ec', build_script]
+
+ testbed.check_exec2(build_argv,
xenv=['-i'] + ['%s=%s' % (k, v) for k, v in build.env.items()],
kind='build')
logging.info("build successful, copying artifacts")
diff --git a/reprotest/presets.py b/reprotest/presets.py
index c588593..a98140c 100644
--- a/reprotest/presets.py
+++ b/reprotest/presets.py
@@ -73,15 +73,7 @@ PRESET_DEB_DIR = ReprotestPreset(
)
def preset_deb_schroot(fn, preset):
- return preset.re_replace.build_command("(.*)", lambda m: r"""
- if [ "$(id -u)" = 0 ]; then
- sudo -E -u "$SUDO_USER" env -u SUDO_USER sh -ec {0};
- else
- sh -ec {0};
- fi
- """.format(shlex.quote(m.group(1)))
- # schroot starts us off as root, we drop privs here to do the actual build
- ).set.testbed_init(
+ return preset.set.testbed_init(
# need to symlink /etc/mtab to work around a fusermount(1) deficiency
'apt-get -y --no-install-recommends install disorderfs fakeroot faketime locales-all sudo util-linux; \
test -c /dev/fuse || mknod -m 666 /dev/fuse c 10 229; \
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/reprotest.git
More information about the Reproducible-commits
mailing list