disallow running chrootless as root without fakeroot unless --skip=check/chrootless is used
This commit is contained in:
parent
ae6dcc001d
commit
428ee78121
3 changed files with 15 additions and 5 deletions
16
mmdebstrap
16
mmdebstrap
|
@ -4939,9 +4939,17 @@ sub main() {
|
||||||
test_unshare_userns(1);
|
test_unshare_userns(1);
|
||||||
}
|
}
|
||||||
} elsif ($options->{mode} eq 'chrootless') {
|
} elsif ($options->{mode} eq 'chrootless') {
|
||||||
if ($EFFECTIVE_USER_ID == 0) {
|
if (any { $_ eq 'check/chrootless' } @{ $options->{skip} }) {
|
||||||
warning "running chrootless mode as root might damage the host "
|
info "skipping check/chrootless as requested";
|
||||||
. "system";
|
} else {
|
||||||
|
my $ischroot = 0 == system 'ischroot';
|
||||||
|
if ( $EFFECTIVE_USER_ID == 0
|
||||||
|
&& !exists $ENV{FAKEROOTKEY}
|
||||||
|
&& !$ischroot) {
|
||||||
|
error
|
||||||
|
"running chrootless mode as root without fakeroot might "
|
||||||
|
. "damage the host system if not run inside a chroot";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
error "unknown mode: $options->{mode}";
|
error "unknown mode: $options->{mode}";
|
||||||
|
@ -7240,6 +7248,8 @@ Upon startup, several checks are carried out, like:
|
||||||
|
|
||||||
=item * which mode to use and whether prerequisites are met
|
=item * which mode to use and whether prerequisites are met
|
||||||
|
|
||||||
|
=item * do not allow chrootless mode as root (without fakeroot) unless inside a chroot. This check can be disabled using B<--skip=check/chrootless>
|
||||||
|
|
||||||
=item * whether the requested architecture can be executed (requires arch-test) using qemu binfmt_misc support. This requires arch-test and can be disabled using B<--skip=check/qemu>
|
=item * whether the requested architecture can be executed (requires arch-test) using qemu binfmt_misc support. This requires arch-test and can be disabled using B<--skip=check/qemu>
|
||||||
|
|
||||||
=item * how the apt sources can be assembled from I<SUITE>, I<MIRROR> and B<--components> and/or from standard input as deb822 or one-line format and whether the required GPG keys exist.
|
=item * how the apt sources can be assembled from I<SUITE>, I<MIRROR> and B<--components> and/or from standard input as deb822 or one-line format and whether the required GPG keys exist.
|
||||||
|
|
|
@ -8,7 +8,7 @@ trap "rm -f /tmp/chrootless.tar /tmp/root.tar" EXIT INT TERM
|
||||||
for INCLUDE in '' 'apt' 'apt,build-essential' 'systemd-sysv'; do
|
for INCLUDE in '' 'apt' 'apt,build-essential' 'systemd-sysv'; do
|
||||||
for MODE in root chrootless; do
|
for MODE in root chrootless; do
|
||||||
{{ CMD }} --mode=$MODE --variant={{ VARIANT }} --hook-dir=./hooks/merged-usr \
|
{{ CMD }} --mode=$MODE --variant={{ VARIANT }} --hook-dir=./hooks/merged-usr \
|
||||||
${INCLUDE:+--include="$INCLUDE"} \
|
${INCLUDE:+--include="$INCLUDE"} --skip=check/chrootless \
|
||||||
{{ DIST }} "/tmp/$MODE.tar" {{ MIRROR }}
|
{{ DIST }} "/tmp/$MODE.tar" {{ MIRROR }}
|
||||||
done
|
done
|
||||||
cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
|
cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
|
||||||
|
|
|
@ -45,7 +45,7 @@ for INCLUDE in '' 'apt' 'systemd-sysv'; do
|
||||||
arch-test "$arch" && exit 1
|
arch-test "$arch" && exit 1
|
||||||
{{ CMD }} --mode=chrootless --architecture="$arch" --variant={{ VARIANT }} \
|
{{ CMD }} --mode=chrootless --architecture="$arch" --variant={{ VARIANT }} \
|
||||||
--hook-dir=./hooks/merged-usr ${INCLUDE:+--include="$INCLUDE"} \
|
--hook-dir=./hooks/merged-usr ${INCLUDE:+--include="$INCLUDE"} \
|
||||||
{{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
|
--skip=check/chrootless {{ DIST }} "/tmp/chrootless.tar" {{ MIRROR }}
|
||||||
# when creating a foreign architecture chroot, the tarballs are not
|
# when creating a foreign architecture chroot, the tarballs are not
|
||||||
# bit-by-bit identical but contain a few remaining differences:
|
# bit-by-bit identical but contain a few remaining differences:
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue