disallow running chrootless as root without fakeroot unless --skip=check/chrootless is used

2024-01-08 22:37:13 +01:00 · 2024-01-08 22:37:13 +01:00 · 428ee78121
commit 428ee78121
parent ae6dcc001d
3 changed files with 15 additions and 5 deletions
--- a/16
+++ b/16
@ -4939,9 +4939,17 @@ sub main() {
            test_unshare_userns(1);
        }
    } elsif ($options->{mode} eq 'chrootless') {
-        if ($EFFECTIVE_USER_ID == 0) {
-            warning "running chrootless mode as root might damage the host "
-              . "system";
+        if (any { $_ eq 'check/chrootless' } @{ $options->{skip} }) {
+            info "skipping check/chrootless as requested";
+        } else {
+            my $ischroot = 0 == system 'ischroot';
+            if (   $EFFECTIVE_USER_ID == 0
+                && !exists $ENV{FAKEROOTKEY}
+                && !$ischroot) {
+                error
+                  "running chrootless mode as root without fakeroot might "
+                  . "damage the host system if not run inside a chroot";
+            }
        }
    } else {
        error "unknown mode: $options->{mode}";
@ -7240,6 +7248,8 @@ Upon startup, several checks are carried out, like:

 =item * which mode to use and whether prerequisites are met

+=item * do not allow chrootless mode as root (without fakeroot) unless inside a chroot. This check can be disabled using B<--skip=check/chrootless>
+
 =item * whether the requested architecture can be executed (requires arch-test) using qemu binfmt_misc support. This requires arch-test and can be disabled using B<--skip=check/qemu>

 =item * how the apt sources can be assembled from I<SUITE>, I<MIRROR> and B<--components> and/or from standard input as deb822 or one-line format and whether the required GPG keys exist.
--- a/tests/chrootless
+++ b/tests/chrootless
@ -8,7 +8,7 @@ trap "rm -f /tmp/chrootless.tar /tmp/root.tar" EXIT INT TERM
 for INCLUDE in '' 'apt' 'apt,build-essential' 'systemd-sysv'; do
 	for MODE in root chrootless; do
 		{{ CMD }} --mode=$MODE --variant={{ VARIANT }} --hook-dir=./hooks/merged-usr \
-			${INCLUDE:+--include="$INCLUDE"} \
+			${INCLUDE:+--include="$INCLUDE"} --skip=check/chrootless \
 			{{ DIST }} "/tmp/$MODE.tar" {{ MIRROR }}
 	done
 	cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
--- a/tests/chrootless-foreign
+++ b/tests/chrootless-foreign
@ -45,7 +45,7 @@ for INCLUDE in '' 'apt' 'systemd-sysv'; do
 	arch-test "$arch" && exit 1
 	{{ CMD }} --mode=chrootless --architecture="$arch" --variant={{ VARIANT }} \
 		--hook-dir=./hooks/merged-usr ${INCLUDE:+--include="$INCLUDE"} \
-		{{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
+		--skip=check/chrootless {{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
 	# when creating a foreign architecture chroot, the tarballs are not
 	# bit-by-bit identical but contain a few remaining differences:
 	#