On 12/22/2017 08:31 AM, Manuel Reimer wrote:
My autobuild process runs as root. It also directly updates the chroot which also needs root permissions so it's the best to start with "root" and then drop privileges for the tasks that shouldn't run with root privileges. The whole system is a dedicated build VM, so there is no reason to not use "root" for the main purpose of this machine.
makechrootpkg already runs systemd-nspawn to enter the chroot and run pacman -Syu as the root user, so this isn't strictly necessary.
That is the first time the makepkg command is run. The second time, is inside the chroot, which should automatically be run as the "builduser" user inside a systemd-nspawn container (we don't actually use chroot).
And this one fails. But why? Does makechrootpkg for some reason miss to drop privileges if the "-U" parameter is used?
The -U parameter is completely ignored in the chroot. Once sources are downloaded, it runs systemd-nspawn to enter the chroot as root, then runs /chrootbuild, which uses a hardcoded command:
sudo -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
Once you enter the chroot, nothing you do should matter, unless the chroot itself is completely damaged.