On Sat, Aug 23, 2025 at 04:19:29PM +0200, Thorsten Glaser wrote:
> On Sat, 23 Aug 2025, Michael Tokarev wrote:
>
> >> Does this entirely break things like running sudo within a
> >> qemu-user-emulated chroot (or buildd/cowbuilder/schroot)?
>
> > It discontinues elevating (changing) privileges using qemu-user binfmt
> > handler. Things like /foreign/chroot//bin/su and /foreign/chroot/bin/sudo
> > does not work anymore. If you run sudo /foreign/chroot/bin/bash,
> > your bash will continue run as root under qemu-user, as before.
>
> But the use case is:
> prompt> chroot /foreign/chroot su - user
> chroot> do something
> chroot> sudo do something else # this step
> […]
> chroot> exit
So you don't need elevation at all, as chroot already requires
privileges. Please show the log of such a broken use-case.
Also "su - user", seriously?
> This needs to work, or at least be enablable (with a documentation
> in at least README.Debian, with a NEWS.Debian entry pointing to it
> saying precisely how, not vague “this will require changes to your
> deployment”).
You need to fix the implementation to not require elevation.
> > There are no alternatives - qemu is unique in this regard. And
> > it has never been designed for this usage. What we had for 15+
> > years, unnoticed, is like `chmod u+s /bin/sh`, which is never
> > supposed to be used like this.
> Perhaps, but there’s shades in between.
No, there are not. qemu-user is not expected to be used in this way.
> > If you rely on suid/sgid *foreign* binaries, that's where the
> > problem lies.
> Yes. People expect to be able to run foreign-arch chroots.
> Entire buildd setups partly rely on this, too…
And they can still do that. They just can't jump from user back to
root. So replace sudo with ctrl-d.
> > As stated in the announcement, if you relied on this feature,
> > you have to rework your setup.
> And that is both too vague and not in README.Debian so that
> people installing qemu-user later can find that.
Please provide patches.
Bastian
--
The sight of death frightens them [Earthers].
-- Kras the Klingon, "Friday's Child", stardate 3497.2
