FS#43432 - [devtools] makechrootpkg calls makepkg with --asroot

Attached to Project: Arch Linux
Opened by Dominik Heidler (asdil12) - Tuesday, 13 January 2015, 12:31 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 22 March 2017, 03:23 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Dave Reisner (falconindy)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

See https://projects.archlinux.org/devtools.git/tree/makechrootpkg.in#n297

When I run makechrootpkg (as root, of course) it tries to download the sources before changing into the chroot.
To do that, makepkg is called with the --asroot option.

As the --asroot option was remoced from makepkg, this will fail.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 22 March 2017, 03:23 GMT
Reason for closing:  Fixed
Additional comments about closing:  https://git.archlinux.org/devtools.git/c ommit/?id=cda9cf436b2897b063c1e40efb1444 04aad8b821
Comment by Dave Reisner (falconindy) - Tuesday, 13 January 2015, 14:14 GMT
Solution: don't call makechrootpkg as root.
Comment by Doug Newgard (Scimmia) - Tuesday, 13 January 2015, 15:05 GMT
Dave, that's only a partial solution. makechrootpkg shouldn't be calling a non-existent option; it should either fail or drop privileges itself.
Comment by Dave Reisner (falconindy) - Tuesday, 13 January 2015, 15:08 GMT
Sure, it *does* drop privileges if you elevate via sudo. OP is logging in as root (or su'ing) and calling makechrootpkg.

Patches welcome. I don't have time to deal with this right now.
Comment by Dominik Heidler (asdil12) - Tuesday, 13 January 2015, 15:20 GMT
If makechrootpkg is called as non-root (eg using sudo), at least arch-nspawn will ask for the root password again, to regain root priviliges.
Having a password prompt or unneccesary sudo-invocation is not good - and will scripted calling of makechrootpkg much harder.

A possible workaround would be to allow $NON_ROOT_USER to write to $PWD and run makechrootpkg as root but with env SUDO_USER=$NON_ROOT_USER, but I'm not sure, if this is intended use.
Also I don't like the idea of needing an additional user just to let makechrootpkg download the sources.

BTW: Why doesn't makechrootpkg leave the source downloading to makepkg IN the chroot, but insted calls it from extern at all?
Comment by Dave Reisner (falconindy) - Tuesday, 13 January 2015, 15:33 GMT
Calling nspawn requires elevated privileges to do anything useful (e.g. chroot). There's no way to avoid elevating privileges at some point.

> Having a password prompt or unneccesary sudo-invocation is not good - and will scripted calling of makechrootpkg much harder.
sudo has configuration which allows password-free invocation of makechrootpkg.

> BTW: Why doesn't makechrootpkg leave the source downloading to makepkg IN the chroot, but insted calls it from extern at all?
Two reasons:
1) The chroot might not have network access.
2) We mount SRCDEST as read-only in the chroot.
Comment by Justin Vreeland (jvreeland) - Sunday, 20 November 2016, 23:15 GMT
Found this while meddling with devtools. Seems reasonable to add an error message instead of letting makepkg explode underneath. Not sure if you prefer patches here or via email, or if this is the right fix.

Edit: sorry for the two uploads
   0001-makechrootpkg-remove-out... (1 KiB)
   0001-makechrootpkg-remove-out... (1 KiB)

Loading...