Your message dated Sun, 1 Dec 2024 14:41:14 +0100
with message-id <[email protected]>
and subject line Re: Bug#994034: (no subject)
has caused the Debian Bug report #994034,
regarding dpkg-deb call fails with permission error if user comes from LDAP
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
994034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994034
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sbuild
Version: 0.81.2
Severity: important
Tags: upstream
Dear maintainers, thanks for your hard work with this amazing tool.
We're experimenting a problem with our sbuild deployment. I'm not even sure the
problem is with
sbuild itself, or shcroot, or what. Anyway, let me try explaining the setup.
* we have a separated virtual machine where we collectively build debian
packages using sbuild.
* the virtual machine uses LDAP for users with sssd as client stack, our users
are defined in LDAP.
* we maintain a bunch of schroots for the package builds (basically, one for
each debian release)
A normal operation would be:
* log into the VM via SSH
* go to a directory in the VM filesystem where a debian source package lives
* run sbuild, usual cmdline is something like: sbuild -v -A -d bullseye
--no-clean-source
* the package builds normally, but in the final stage the dpkg-deb call fails
I think the relevant part of the log is this:
=== 8< ===
[..]
dh_gencontrol -O--buildsystem=pybuild
dh_md5sums -O--buildsystem=pybuild
dh_builddeb -O--buildsystem=pybuild
dpkg-deb: building package 'toollabs-webservice' in
'../toollabs-webservice_0.76_all.deb'.
dpkg-deb: error: unable to create '../toollabs-webservice_0.76_all.deb':
Permission denied
dh_builddeb: error: dpkg-deb --build debian/toollabs-webservice .. returned
exit code 2
dh_builddeb: error: Aborting due to earlier error
make: *** [debian/rules:6: binary] Error 25
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit
status 2
--------------------------------------------------------------------------------
Build finished at 2021-09-10T10:04:15Z
=== 8< ===
I logged it to the schroot after this error with --build-failed-commands
'%SBUILD_SHELL' to
investigate a bit more, and I see this:
(bullseye-amd64-sbuild)root@tools-package-builder-04:/build/toollabs-webservice-Oe7KMY#
ls -la
total 320
drwxr-x--- 4 aborrero sbuild 4096 Sep 10 10:09 .
drwxrws--- 3 sbuild sbuild 4096 Sep 10 10:08 ..
drwxr-x--- 6 aborrero sbuild 4096 Sep 10 10:08 resolver-CXim0X
drwxr-xr-x 9 18194 500 4096 Sep 10 10:09 toollabs-webservice-0.76
-rw-r--r-- 1 aborrero sbuild 642 Sep 10 10:08 toollabs-webservice_0.76.dsc
-rw-r--r-- 1 aborrero sbuild 307011 Sep 10 10:08 toollabs-webservice_0.76.tar.gz
(bullseye-amd64-sbuild)root@tools-package-builder-04:/build/toollabs-webservice-Oe7KMY#
ls -lna
total 320
drwxr-x--- 4 119 123 4096 Sep 10 10:09 .
drwxrws--- 3 117 123 4096 Sep 10 10:08 ..
drwxr-x--- 6 119 123 4096 Sep 10 10:08 resolver-CXim0X
drwxr-xr-x 9 18194 500 4096 Sep 10 10:09 toollabs-webservice-0.76
-rw-r--r-- 1 119 123 642 Sep 10 10:08 toollabs-webservice_0.76.dsc
-rw-r--r-- 1 119 123 307011 Sep 10 10:08 toollabs-webservice_0.76.tar.gz
(bullseye-amd64-sbuild)root@tools-package-builder-04:/build/toollabs-webservice-Oe7KMY#
id 119
uid=119(aborrero) gid=123(sbuild) groups=123(sbuild)
(bullseye-amd64-sbuild)root@tools-package-builder-04:/build/toollabs-webservice-Oe7KMY#
grep sbuild /etc/group
sbuild:x:123:aborrero
Additionally, some information from outside the schroot:
aborrero@tools-package-builder-04:~$ id sbuild
uid=117(sbuild) gid=123(sbuild) groups=123(sbuild)
aborrero@tools-package-builder-04:~$ id
uid=18194(aborrero) gid=500(wikidev) groups=123(sbuild),[.. many more ..]
aborrero@tools-package-builder-04:~$ grep aborrero /etc/group
sbuild:x:123:aborrero
aborrero@tools-package-builder-04:~$ id 119
id: ‘119’: no such user
You can see there is something wrong somewhere. My user is uid 18194 outside
the schroot (defined
in LDAP) but inside the schroot is 119 (likely statically defined inside the
schroot).
It seems the mapping between the real user (from the VM, defined in LDAP) and
the transient user
inside the schroot is not working well.
Please don't hesitate to request more information if required.
regards.
--- End Message ---
--- Begin Message ---
On Mon, Sep 13, 2021 at 11:13:25AM +0200, Johannes Schauer Marin Rodrigues
wrote:
> > The system is configured to use LDAP users. There is no reason for sbuild
> > to
> > ignore that and create arbitrary local users inside the schroot (if that's
> > what
> > is happening anyway).
> >
> > Perhaps you only read the email about using sudo and not the rest of the
> > report?
> > I mean, specifically, the nsswitch.conf diff inside/outside the chroot.
>
> but this is nothing that sbuild touches. If you want your chroots to use LDAP
> users, then you have to set it up that way.
[..]
So this appears to be a local configuration mistake. Not a bug,
then!
Chris
--- End Message ---
