forked from josch/mmdebstrap
disable apt sandboxing if the chroot directory is not accessible by the _apt user
This commit is contained in:
parent
632b19eca3
commit
920877fa2a
2 changed files with 39 additions and 3 deletions
18
coverage.sh
18
coverage.sh
|
@ -347,6 +347,24 @@ else
|
||||||
./run_null.sh SUDO
|
./run_null.sh SUDO
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
print_header "mode=root,variant=apt: chroot directory not accessible by _apt user"
|
||||||
|
cat << END > shared/test.sh
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
export LC_ALL=C.UTF-8
|
||||||
|
mkdir /tmp/debian-unstable
|
||||||
|
chmod 700 /tmp/debian-unstable
|
||||||
|
$CMD --mode=root --variant=apt unstable /tmp/debian-unstable $mirror
|
||||||
|
tar -C /tmp/debian-unstable --one-file-system -c . | tar -t | sort > tar2.txt
|
||||||
|
diff -u tar1.txt tar2.txt
|
||||||
|
rm -r /tmp/debian-unstable
|
||||||
|
END
|
||||||
|
if [ "$HAVE_QEMU" = "yes" ]; then
|
||||||
|
./run_qemu.sh
|
||||||
|
else
|
||||||
|
./run_null.sh SUDO
|
||||||
|
fi
|
||||||
|
|
||||||
print_header "mode=unshare,variant=apt: create gzip compressed tarball"
|
print_header "mode=unshare,variant=apt: create gzip compressed tarball"
|
||||||
cat << END > shared/test.sh
|
cat << END > shared/test.sh
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
24
mmdebstrap
24
mmdebstrap
|
@ -1104,6 +1104,22 @@ sub setup {
|
||||||
# into account.
|
# into account.
|
||||||
$ENV{"APT_CONFIG"} = "$tmpfile";
|
$ENV{"APT_CONFIG"} = "$tmpfile";
|
||||||
|
|
||||||
|
# when apt-get update is run by the root user, then apt will attempt to
|
||||||
|
# drop privileges to the _apt user. This will fail if the _apt user does
|
||||||
|
# not have permissions to read the root directory. In that case, we have
|
||||||
|
# to disable apt sandboxing.
|
||||||
|
if ($options->{mode} eq 'root') {
|
||||||
|
my $dummy = '/var/lib/apt/lists/partial/dummy';
|
||||||
|
if (system('/usr/lib/apt/apt-helper', 'drop-privs', 'touch', "$options->{root}$dummy") != 0) {
|
||||||
|
warning "Download is performed unsandboxed as root as file $options->{root}$dummy couldn't be accessed by user _apt";
|
||||||
|
open my $fh, '>>', $tmpfile or error "cannot open $tmpfile for appending: $!";
|
||||||
|
print $fh "APT::Sandbox::User \"root\";\n";
|
||||||
|
close $fh;
|
||||||
|
} else {
|
||||||
|
unlink "$options->{root}$dummy" or error "unable to unlink $options->{root}$dummy: $!";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# setting PATH for chroot, ldconfig, start-stop-daemon...
|
# setting PATH for chroot, ldconfig, start-stop-daemon...
|
||||||
if (defined $ENV{PATH} && $ENV{PATH} ne "") {
|
if (defined $ENV{PATH} && $ENV{PATH} ne "") {
|
||||||
$ENV{PATH} = "$ENV{PATH}:/usr/sbin:/usr/bin:/sbin:/bin";
|
$ENV{PATH} = "$ENV{PATH}:/usr/sbin:/usr/bin:/sbin:/bin";
|
||||||
|
@ -2480,6 +2496,7 @@ Examples:
|
||||||
--aptopt='Acquire::Languages "none"'
|
--aptopt='Acquire::Languages "none"'
|
||||||
--aptopt='Apt::Install-Recommends "true"'
|
--aptopt='Apt::Install-Recommends "true"'
|
||||||
--aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }'
|
--aptopt='Acquire::http { Proxy "http://127.0.0.1:3142"; }'
|
||||||
|
--aptopt='APT::Sandbox::User "root"'
|
||||||
|
|
||||||
=item B<--dpkgopt>=I<option>|I<file>
|
=item B<--dpkgopt>=I<option>|I<file>
|
||||||
|
|
||||||
|
@ -2624,9 +2641,10 @@ B<fakechroot> is used if the fakechroot binary exists.
|
||||||
|
|
||||||
=item B<sudo>, B<root>
|
=item B<sudo>, B<root>
|
||||||
|
|
||||||
This mode directly executes chroot and is the same mode of operation as is used
|
This mode directly executes chroot and is the same mode of operation as is
|
||||||
by debootstrap. It is the only mode that can directly create a directory chroot
|
used by debootstrap. It is the only mode that can directly create a directory
|
||||||
with the right permissions.
|
chroot with the right permissions. If the chroot directory is not accessible
|
||||||
|
by the _apt user, then apt sandboxing will be automatically disabled.
|
||||||
|
|
||||||
=item B<unshare>
|
=item B<unshare>
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue