[arch-projects] [devtools] [PATCH 2/2] makechrootpkg: build as same UID as invoker
Dave Reisner
dreisner at archlinux.org
Mon Sep 22 12:35:59 UTC 2014
Changing UID to that of 'nobody' is arbitrary at best, and an
information leak at worst. Let's just drop back to the same UID of the
invoker.
---
makechrootpkg.in | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/makechrootpkg.in b/makechrootpkg.in
index 8bc18a4..9bb0bfa 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -234,7 +234,9 @@ prepare_chroot() {
echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
fi
- chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
+ builduser_uid=${SUDO_UID:-$UID}
+ useradd -R "$copydir" -g users -u "$builduser_uid" -s /bin/nologin builduser
+ chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
if [[ -n $MAKEFLAGS ]]; then
sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
@@ -246,12 +248,12 @@ prepare_chroot() {
echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
fi
- if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then
- cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF
+ if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
+ cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
Defaults env_keep += "HOME"
-nobody ALL = NOPASSWD: /usr/bin/pacman
+builduser ALL = NOPASSWD: /usr/bin/pacman
EOF
- chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
+ chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
fi
# This is a little gross, but this way the script is recreated every time in the
@@ -302,7 +304,7 @@ _chrootbuild() {
for vcsdir in */.$vcs; do
rm "${vcsdir%/.$vcs}"
cp -a "${dir}_host/${vcsdir%/.$vcs}" .
- chown -R nobody "${vcsdir%/.$vcs}"
+ chown -R builduser "${vcsdir%/.$vcs}"
done
done
done
@@ -312,7 +314,7 @@ _chrootbuild() {
# XXX: Keep PKGBUILD writable for pkgver()
rm PKGBUILD*
cp /startdir_host/PKGBUILD* .
- chown nobody PKGBUILD*
+ chown builduser PKGBUILD*
# Safety check
if [[ ! -w PKGBUILD ]]; then
@@ -320,13 +322,13 @@ _chrootbuild() {
exit 1
fi
- sudo -u nobody makepkg $makepkg_args || exit 1
+ sudo -u builduser makepkg $makepkg_args || exit 1
if $run_namcap; then
pacman -S --needed --noconfirm namcap
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
echo "Checking ${pkgfile##*/}"
- sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+ sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
done
fi
--
2.1.0
More information about the arch-projects
mailing list