diff --git a/coverage.sh b/coverage.sh index a837a0c..4f25168 100755 --- a/coverage.sh +++ b/coverage.sh @@ -347,6 +347,24 @@ else ./run_null.sh SUDO fi +print_header "mode=root,variant=apt: chroot directory not accessible by _apt user" +cat << END > shared/test.sh +#!/bin/sh +set -eu +export LC_ALL=C.UTF-8 +mkdir /tmp/debian-unstable +chmod 700 /tmp/debian-unstable +$CMD --mode=root --variant=apt unstable /tmp/debian-unstable $mirror +tar -C /tmp/debian-unstable --one-file-system -c . | tar -t | sort > tar2.txt +diff -u tar1.txt tar2.txt +rm -r /tmp/debian-unstable +END +if [ "$HAVE_QEMU" = "yes" ]; then + ./run_qemu.sh +else + ./run_null.sh SUDO +fi + print_header "mode=unshare,variant=apt: create gzip compressed tarball" cat << END > shared/test.sh #!/bin/sh diff --git a/mmdebstrap b/mmdebstrap index 112cd32..91d8696 100755 --- a/mmdebstrap +++ b/mmdebstrap @@ -1104,6 +1104,22 @@ sub setup { # into account. $ENV{"APT_CONFIG"} = "$tmpfile"; + # when apt-get update is run by the root user, then apt will attempt to + # drop privileges to the _apt user. This will fail if the _apt user does + # not have permissions to read the root directory. In that case, we have + # to disable apt sandboxing. + if ($options->{mode} eq 'root') { + my $dummy = '/var/lib/apt/lists/partial/dummy'; + if (system('/usr/lib/apt/apt-helper', 'drop-privs', 'touch', "$options->{root}$dummy") != 0) { + warning "Download is performed unsandboxed as root as file $options->{root}$dummy couldn't be accessed by user _apt"; + open my $fh, '>>', $tmpfile or error "cannot open $tmpfile for appending: $!"; + print $fh "APT::Sandbox::User \"root\";\n"; + close $fh; + } else { + unlink "$options->{root}$dummy" or error "unable to unlink $options->{root}$dummy: $!"; + } + } + # setting PATH for chroot, ldconfig, start-stop-daemon... if (defined $ENV{PATH} && $ENV{PATH} ne "") { $ENV{PATH} = "$ENV{PATH}:/usr/sbin:/usr/bin:/sbin:/bin"; @@ -2480,6 +2496,7 @@ Examples: --aptopt='Acquire::Languages "none"' --aptopt='Apt::Install-Recommends "true"' --aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }' + --aptopt='APT::Sandbox::User "root"' =item B<--dpkgopt>=I