rockdrilla
/
mmdebstrap
forked from josch/mmdebstrap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

disable apt sandboxing if the chroot directory is not accessible by the _apt user

Browse Source
debextract
Johannes 'josch' Schauer 5 years ago
parent 632b19eca3
commit 920877fa2a
Signed by untrusted user: josch
GPG Key ID: F2CBA5C78FBD83E1
2 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File

18
coverage.sh
Unescape Escape View File

@ -347,6 +347,24 @@ else
./run_null.sh SUDO
fi
print_header "mode=root,variant=apt: chroot directory not accessible by _apt user"
cat << END > shared/test.sh
#!/bin/sh
set -eu
export LC_ALL=C.UTF-8
mkdir /tmp/debian-unstable
chmod 700 /tmp/debian-unstable
$CMD --mode=root --variant=apt unstable /tmp/debian-unstable $mirror
tar -C /tmp/debian-unstable --one-file-system -c . | tar -t | sort > tar2.txt
diff -u tar1.txt tar2.txt
rm -r /tmp/debian-unstable
END
if [ "$HAVE_QEMU" = "yes" ]; then
./run_qemu.sh
else
./run_null.sh SUDO
fi
print_header "mode=unshare,variant=apt: create gzip compressed tarball"
cat << END > shared/test.sh
#!/bin/sh

24
mmdebstrap
Unescape Escape View File

@ -1104,6 +1104,22 @@ sub setup {
# into account.
$ENV{"APT_CONFIG"} = "$tmpfile";
# when apt-get update is run by the root user, then apt will attempt to
# drop privileges to the _apt user. This will fail if the _apt user does
# not have permissions to read the root directory. In that case, we have
# to disable apt sandboxing.
if ($options->{mode} eq 'root') {
my $dummy = '/var/lib/apt/lists/partial/dummy';
if (system('/usr/lib/apt/apt-helper', 'drop-privs', 'touch', "$options->{root}$dummy") != 0) {
warning "Download is performed unsandboxed as root as file $options->{root}$dummy couldn't be accessed by user _apt";
open my $fh, '>>', $tmpfile or error "cannot open $tmpfile for appending: $!";
print $fh "APT::Sandbox::User \"root\";\n";
close $fh;
} else {
unlink "$options->{root}$dummy" or error "unable to unlink $options->{root}$dummy: $!";
}
}
# setting PATH for chroot, ldconfig, start-stop-daemon...
if (defined $ENV{PATH} && $ENV{PATH} ne "") {
$ENV{PATH} = "$ENV{PATH}:/usr/sbin:/usr/bin:/sbin:/bin";
@ -2480,6 +2496,7 @@ Examples:
--aptopt='Acquire::Languages "none"'
--aptopt='Apt::Install-Recommends "true"'
--aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }'
--aptopt='APT::Sandbox::User "root"'
=item B<--dpkgopt>=I<option>|I<file>
@ -2624,9 +2641,10 @@ B<fakechroot> is used if the fakechroot binary exists.
=item B<sudo>, B<root>
This mode directly executes chroot and is the same mode of operation as is used
by debootstrap. It is the only mode that can directly create a directory chroot
with the right permissions.
This mode directly executes chroot and is the same mode of operation as is
used by debootstrap. It is the only mode that can directly create a directory
chroot with the right permissions. If the chroot directory is not accessible
by the _apt user, then apt sandboxing will be automatically disabled.
=item B<unshare>

Write Preview
Loading…
Cancel
Save