boklm/mmdebstrap
1
0
Fork 0
forked from josch/mmdebstrap
Code Issues Pull requests Projects Releases Wiki Activity

mmdebstrap: fix perltidy formatting

Browse source
This commit is contained in:
Johannes Schauer Marin Rodrigues 2024-06-26 07:32:30 +02:00
parent 37678c4fb5
commit 500b0d2512
Signed by untrusted user: josch
GPG key ID: F2CBA5C78FBD83E1
1 changed files with 25 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
mmdebstrap
View file

@ -4293,8 +4293,8 @@ sub get_sourceslist_by_suite {
# the security mirror changes, starting with bullseye # the security mirror changes, starting with bullseye
# https://lists.debian.org/87r26wqr2a.fsf@43-1.org # https://lists.debian.org/87r26wqr2a.fsf@43-1.org
my $bullseye_or_later = 0; my $bullseye_or_later = 0;
if (any { $_ eq $suite } ('oldstable', 'stable', 'bullseye', 'bookworm', 'trixie')) if (any { $_ eq $suite }
{ ('oldstable', 'stable', 'bullseye', 'bookworm', 'trixie')) {
$bullseye_or_later = 1; $bullseye_or_later = 1;
} }
my $distro_info = '/usr/share/distro-info/debian.csv'; my $distro_info = '/usr/share/distro-info/debian.csv';
@ -6973,13 +6973,29 @@ The above uses C<--map-auto> to map the block of user/group ids for the
effective user/group to a block starting at user/group ID 0. We also want to effective user/group to a block starting at user/group ID 0. We also want to
map the current effective user/group ID into the subuid/subgid range using map the current effective user/group ID into the subuid/subgid range using
C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps C<--map-user> and C<--map-group>, respectively. But if that uid/gid overlaps
with the respective range, a "hole" will be removed from the mapping and the with the respective range, a "hole" will be removed from the mapping by the
remaining uid/gid values will get shifted. Thus, we map the current effective L<unshare(1)> utility and the remaining uid/gid values will get shifted. Thus,
user/group ID to the highest possible uid/gid, putting them at the end. Since we map the current effective user/group ID to the highest possible uid/gid,
that means that the user/group will be "nobody" and not "root" inside the putting them at the end. Since that means that the user/group will be "nobody"
namespace, C<--keep-caps> propagate permitted capabilities into the ambient set and not "root" inside the namespace, C<--keep-caps> propagate permitted
and thus give the user C<CAP_DAC_OVERRIDE> and other capabilities that it capabilities into the ambient set and thus give the user C<CAP_DAC_OVERRIDE>
would've had. and other capabilities that it would've had. The following does B<NOT> work:
$ unshare --map-root-user --map-auto ... # or equavalient:
$ unshare --map-user=0 --map-group=0 --map-users=auto --map-groups=auto ...
Using the format of L<lxc-usernsexec(1)>, these options will result in the
following mapping:
0:$UID:1 + 1:$SUBUIDBASE:65535
So a hole is punched in the automatically mapped range at the very beginning to
make space for the user id of the current user as root inside the namespace and
the remaining uids are shifted. With C<--map-user=65536> the mapping is as
follows and places the current user at the end of the range, preventing any
shifting:
0:$SUBUIDBASE:65536 + 65536:$UID:1
Lastly, if you don't mind using superuser privileges and have systemd-nspawn Lastly, if you don't mind using superuser privileges and have systemd-nspawn
available and you know your subuid/subgid offset (100000 in this example): available and you know your subuid/subgid offset (100000 in this example):