summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDave Reisner <dreisner@archlinux.org>2014-09-21 15:03:28 -0400
committerDave Reisner <dreisner@archlinux.org>2014-09-30 19:28:47 -0400
commita78bdb841dbe7839c8afd7184d821ed42dd334cc (patch)
treea41b38019fdc9d658638ca88a80cd8add2491376
parent12a1300694272928e70408f4ce2fe85bacd19eb4 (diff)
downloaddevtools-a78bdb841dbe7839c8afd7184d821ed42dd334cc.tar.xz
makechrootpkg: build as same UID as invoker
Changing UID to that of 'nobody' is arbitrary at best, and an information leak at worst. Let's just drop back to the same UID of the invoker.
-rw-r--r--makechrootpkg.in24
1 files changed, 15 insertions, 9 deletions
diff --git a/makechrootpkg.in b/makechrootpkg.in
index 8bc18a4..b82c2a2 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -234,7 +234,13 @@ prepare_chroot() {
echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf"
fi
- chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
+ builduser_uid=${SUDO_UID:-$UID}
+
+ # We can't use useradd without chrooting, otherwise it invokes PAM modules
+ # which we might not be able to load (i.e. when building i686 packages on
+ # an x86_64 host).
+ printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd"
+ chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir}
if [[ -n $MAKEFLAGS ]]; then
sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf"
@@ -246,12 +252,12 @@ prepare_chroot() {
echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf"
fi
- if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then
- cat > "$copydir/etc/sudoers.d/nobody-pacman" <<EOF
+ if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then
+ cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
Defaults env_keep += "HOME"
-nobody ALL = NOPASSWD: /usr/bin/pacman
+builduser ALL = NOPASSWD: /usr/bin/pacman
EOF
- chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"
+ chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
fi
# This is a little gross, but this way the script is recreated every time in the
@@ -302,7 +308,7 @@ _chrootbuild() {
for vcsdir in */.$vcs; do
rm "${vcsdir%/.$vcs}"
cp -a "${dir}_host/${vcsdir%/.$vcs}" .
- chown -R nobody "${vcsdir%/.$vcs}"
+ chown -R builduser "${vcsdir%/.$vcs}"
done
done
done
@@ -312,7 +318,7 @@ _chrootbuild() {
# XXX: Keep PKGBUILD writable for pkgver()
rm PKGBUILD*
cp /startdir_host/PKGBUILD* .
- chown nobody PKGBUILD*
+ chown builduser PKGBUILD*
# Safety check
if [[ ! -w PKGBUILD ]]; then
@@ -320,13 +326,13 @@ _chrootbuild() {
exit 1
fi
- sudo -u nobody makepkg $makepkg_args || exit 1
+ sudo -u builduser makepkg $makepkg_args || exit 1
if $run_namcap; then
pacman -S --needed --noconfirm namcap
for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
echo "Checking ${pkgfile##*/}"
- sudo -u nobody namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+ sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
done
fi