Control: tags -1 + patch On Tue, May 13, 2014 at 11:32:34AM +0200, Helmut Grohne wrote: > Package: pbuilder > Version: 0.215 > Severity: normal > > As has been pointed out on debian-devel at > https://lists.debian.org/debian-devel/2014/05/msg00366.html using su in > things like /etc/init.d is wrong. In a similar vein, pbuilder's usage of > SUTOUSER is wrong, because it creates a new session, but builds should > not create sessions. Apart from that, it also breaks running pbuilder > inside user namespaces: > > I: Extracting source > su: System error > > The invocation of su is a bit more verbose in auth.log: > su[123]: PAM audit_log_acct_message() failed: Operation not permitted > su[123]: pam_authenticate: System error > su[123]: FAILED su for pbuilder by root > su[123]: - ??? root:pbuilder
So the "real" fix is likely going into linux 3.15: http://permalink.gmane.org/gmane.linux.kernel.commits.head/445016 > It is not clear to me what should be used instead. A number of options > were mentioned: > * start-stop-daemon > SUTOUSER=/sbin/start-stop-daemon --start --pidfile /dev/null --chuid > pbuilder --startas /bin/sh > (Thanks to Peter Palfrader for coming up with this beast.) I prepared a patch for this variant anyway, because using older kernels is not a rare thing. Better fix both. Helmut
diff -Nru pbuilder-0.215/debian/changelog pbuilder-0.215+nmu1/debian/changelog --- pbuilder-0.215/debian/changelog 2013-03-30 03:06:05.000000000 +0100 +++ pbuilder-0.215+nmu1/debian/changelog 2014-05-22 21:44:27.000000000 +0200 @@ -1,3 +1,10 @@ +pbuilder (0.215+nmu1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Use start-stop-daemon rather than su. (closes: #747946) + + -- Helmut Grohne <[email protected]> Thu, 22 May 2014 21:44:07 +0200 + pbuilder (0.215) unstable; urgency=low * Do not try to use /dev/shm if /run/shm is not present. (closes: #702811, #702102) diff -Nru pbuilder-0.215/pbuilder-buildpackage pbuilder-0.215+nmu1/pbuilder-buildpackage --- pbuilder-0.215/pbuilder-buildpackage 2012-03-13 09:25:15.000000000 +0100 +++ pbuilder-0.215+nmu1/pbuilder-buildpackage 2014-05-22 21:45:47.000000000 +0200 @@ -37,14 +37,14 @@ # environment, so cowdancer shouldn't have to run, and fakeroot # should be running later, so it shouldn't matter. # LOGNAME: set this to shut up some tools. - # su -p : switch to user preserving env vars, we need most of them. - SUTOUSER="env LD_PRELOAD= LOGNAME=$BUILDUSERNAME su -p $BUILDUSERNAME" + # switch to user preserving env vars, we need most of them. + SUTOUSER="env LD_PRELOAD= LOGNAME=$BUILDUSERNAME /sbin/start-stop-daemon --start --pidfile /dev/null --chuid $BUILDUSERNAME --startas /bin/sh" DEBBUILDOPTS="${DEBBUILDOPTS:+$DEBBUILDOPTS }-rfakeroot" EXTRAPACKAGES="${EXTRAPACKAGES} fakeroot" log "I: using fakeroot in build." else # run the build in root - SUTOUSER="su -p " + SUTOUSER="sh" BUILDUSERID=0 BUILDUSERNAME=root fi
