[arch-projects] [devtools] [PATCH 2/2] makechrootpkg: build as same UID as invoker

Dave Reisner d at falconindy.com
Tue Sep 30 21:33:35 UTC 2014

On Tue, Sep 30, 2014 at 11:23:50PM +0200, Sébastien Luttringer wrote:
> On 22/09/2014 14:35, Dave Reisner wrote:
> > Changing UID to that of 'nobody' is arbitrary at best, and an
> > information leak at worst. Let's just drop back to the same UID of the
> > invoker.
> Which information is leaking?

"nobody" in the build chroot is exactly the same "nobody" as outside the
chroot. So, someone running as "nobody" has full control over the build
as it occurs in the chroot. ptrace it, do whatever you want to it
(including creating a malicious binary). There's no reason not to drop
privileges back to the user who invoked the build.

> This should also fix the permission issue on file introduced by bind
> mounting $startdir instread of copying and have files owned by nobody.


I've found one breakage in the patch (user creation is a pain in the ass
across architectures because of dlopen), but that's fixed locally.


More information about the arch-projects mailing list