Changing UID to that of 'nobody' is arbitrary at best, and an information leak at worst. Let's just drop back to the same UID of the invoker. --- makechrootpkg.in | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index 8bc18a4..9bb0bfa 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -234,7 +234,9 @@ prepare_chroot() { echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf" fi - chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir} + builduser_uid=${SUDO_UID:-$UID} + useradd -R "$copydir" -g users -u "$builduser_uid" -s /bin/nologin builduser + chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir} if [[ -n $MAKEFLAGS ]]; then sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf" @@ -246,12 +248,12 @@ prepare_chroot() { echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf" fi - if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then - cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF + if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then + cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF Defaults env_keep += "HOME" -nobody ALL = NOPASSWD: /usr/bin/pacman +builduser ALL = NOPASSWD: /usr/bin/pacman EOF - chmod 440 "$copydir/etc/sudoers.d/nobody-pacman" + chmod 440 "$copydir/etc/sudoers.d/builduser-pacman" fi # This is a little gross, but this way the script is recreated every time in the @@ -302,7 +304,7 @@ _chrootbuild() { for vcsdir in */.$vcs; do rm "${vcsdir%/.$vcs}" cp -a "${dir}_host/${vcsdir%/.$vcs}" . - chown -R nobody "${vcsdir%/.$vcs}" + chown -R builduser "${vcsdir%/.$vcs}" done done done @@ -312,7 +314,7 @@ _chrootbuild() { # XXX: Keep PKGBUILD writable for pkgver() rm PKGBUILD* cp /startdir_host/PKGBUILD* . - chown nobody PKGBUILD* + chown builduser PKGBUILD* # Safety check if [[ ! -w PKGBUILD ]]; then @@ -320,13 +322,13 @@ _chrootbuild() { exit 1 fi - sudo -u nobody makepkg $makepkg_args || exit 1 + sudo -u builduser makepkg $makepkg_args || exit 1 if $run_namcap; then pacman -S --needed --noconfirm namcap for pkgfile in /startdir/PKGBUILD /pkgdest/*; do echo "Checking ${pkgfile##*/}" - sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log" + sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log" done fi -- 2.1.0