Re: Bug#725434: Problems with gbp when $TMP != /tmp
On Wed, Oct 21, 2015 at 04:27:13PM +0200, Andreas Tille wrote: > > I uploaed 0.219~bpo8+1 2 days ago ^^ > > Installed - but I need the `chmod 777` part with this one ... As the old one. Thanks for the data point, will look for a fix somehow. Sadly (?) I don't use libpam-tmp, and there are several other priorities for me before this particular bug, so I'm sorry you'll have to wait some time (or provide a patch ;)). -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: http://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Re: Bug#725434: Problems with gbp when $TMP != /tmp
On Tue, Oct 20, 2015 at 05:16:06PM +, Mattia Rizzolo wrote: > > pbuilder: > > Installed: 0.215+nmu4~bpo8+1 > > Candidate: 0.215+nmu4~bpo8+1 > > well, please `apt update` :) > I uploaed 0.219~bpo8+1 2 days ago ^^ Installed - but I need the `chmod 777` part with this one ... Kind regards Andreas. -- http://fam-tille.de
Re: Bug#725434: Problems with gbp when $TMP != /tmp
* Mattia Rizzolo, 2015-10-20, 16:18: [ -n "$TMP" -a ! -d "$TMP" ] && mkdir -p "$TMP" || true [ -n "$TMPDIR" -a ! -d "$TMPDIR" ] && mkdir -p "$TMPDIR" || true POSIX says that one should use $TMPDIR as a directory for temporary files. I you know software that uses $TMP, $TEMP, $TEMPDIR or something else for this purpose, please file bugs. :) umh, something tells me this is not enough: hooks are run as root, while the build is not, so the build user would not be able to write there. Currently the build username or user ID is not exported to the hooks, so the better you can do is to chmod 777 TMPDIR and TMP (programs using /tmp should be able to use that securely anyway...) ITYM 1777. Without sticky bit set, other users could remove your temporary files or directories and replace them with their own, which would not end well. -- Jakub Wilk
Re: Bug#725434: Problems with gbp when $TMP != /tmp
On Tue, Oct 20, 2015 at 07:07:11PM +0200, Andreas Tille wrote: > > the better you can do is to chmod 777 TMPDIR and TMP (programs using > > /tmp should be able to use that securely anyway...) > > I can confirm that this works. ok, thanks. > > JOOI, can you try with pbuilder from backports and see whether with the > > changed build place something different happen? > > I forget to say that I'm just doing this: > > $ apt-cache policy pbuilder > pbuilder: > Installed: 0.215+nmu4~bpo8+1 > Candidate: 0.215+nmu4~bpo8+1 well, please `apt update` :) I uploaed 0.219~bpo8+1 2 days ago ^^ -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: http://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Re: Bug#725434: Problems with gbp when $TMP != /tmp
On Tue, Oct 20, 2015 at 03:07:55PM +0200, Andreas Tille wrote: > I'm obviously beaten by bug #725434 when trying to use gbp on a stable > box with libpam-tmpdir. I followed the workaround and added a hook > script: > > $ cat .pbuilder/D10tmp > [ -n "$TMP" -a ! -d "$TMP" ] && mkdir -p "$TMP" || true > [ -n "$TMPDIR" -a ! -d "$TMPDIR" ] && mkdir -p "$TMPDIR" || true umh, something tells me this is not enough: hooks are run as root, while the build is not, so the build user would not be able to write there. Currently the build username or user ID is not exported to the hooks, so the better you can do is to chmod 777 TMPDIR and TMP (programs using /tmp should be able to use that securely anyway...) > The interesting thing here is that while TMP=/tmp/user/0 this > dir is empty and the packaging is done in /tmp/buildd. If I do the directory where the package is kept and the build is done is hardcoded to /tmp/buildd/ till 0.216, where it was made configurable and moved to /build/. JOOI, can you try with pbuilder from backports and see whether with the changed build place something different happen? > # cd /tmp/buildd/python-pyfaidx-0.4.2 > # dh_builddeb -O--buildsystem=pybuild > dpkg-deb: building package `python-pyfaidx' in > `../python-pyfaidx_0.4.2-0~bpo8+1_all.deb'. > dpkg-deb: building package `python3-pyfaidx' in > `../python3-pyfaidx_0.4.2-0~bpo8+1_all.deb'. > dpkg-deb: building package `python-pyfaidx-examples' in > `../python-pyfaidx-examples_0.4.2-0~bpo8+1_all.deb'. > > this obviously works fine. yes, because you're building as root, which can write anywhere he likes :) > So the problem is definitely created by gbp. s/gbp/pbuilder/ -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: http://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Re: Bug#725434: Problems with gbp when $TMP != /tmp
Hi Mattia, On Tue, Oct 20, 2015 at 04:18:55PM +, Mattia Rizzolo wrote: > On Tue, Oct 20, 2015 at 03:07:55PM +0200, Andreas Tille wrote: > > I'm obviously beaten by bug #725434 when trying to use gbp on a stable > > box with libpam-tmpdir. I followed the workaround and added a hook > > script: > > > > $ cat .pbuilder/D10tmp > > [ -n "$TMP" -a ! -d "$TMP" ] && mkdir -p "$TMP" || true > > [ -n "$TMPDIR" -a ! -d "$TMPDIR" ] && mkdir -p "$TMPDIR" || true > > umh, something tells me this is not enough: hooks are run as root, while > the build is not, so the build user would not be able to write there. > Currently the build username or user ID is not exported to the hooks, so > the better you can do is to chmod 777 TMPDIR and TMP (programs using > /tmp should be able to use that securely anyway...) I can confirm that this works. > > The interesting thing here is that while TMP=/tmp/user/0 this > > dir is empty and the packaging is done in /tmp/buildd. If I do > > the directory where the package is kept and the build is done is > hardcoded to /tmp/buildd/ till 0.216, where it was made configurable and > moved to /build/. > > JOOI, can you try with pbuilder from backports and see whether with the > changed build place something different happen? I forget to say that I'm just doing this: $ apt-cache policy pbuilder pbuilder: Installed: 0.215+nmu4~bpo8+1 Candidate: 0.215+nmu4~bpo8+1 Version table: *** 0.215+nmu4~bpo8+1 0 501 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages 100 /var/lib/dpkg/status 0.215+nmu3 0 500 http://httpredir.debian.org/debian/ jessie/main amd64 Packages > > # cd /tmp/buildd/python-pyfaidx-0.4.2 > > # dh_builddeb -O--buildsystem=pybuild > > dpkg-deb: building package `python-pyfaidx' in > > `../python-pyfaidx_0.4.2-0~bpo8+1_all.deb'. > > dpkg-deb: building package `python3-pyfaidx' in > > `../python3-pyfaidx_0.4.2-0~bpo8+1_all.deb'. > > dpkg-deb: building package `python-pyfaidx-examples' in > > `../python-pyfaidx-examples_0.4.2-0~bpo8+1_all.deb'. > > > > this obviously works fine. > > yes, because you're building as root, which can write anywhere he likes > :) > > > So the problem is definitely created by gbp. > > s/gbp/pbuilder/ If you think so... At least it is pbuilder only if called by gbp. Kind regards Andreas. -- http://fam-tille.de