Re: Bug#725434: Problems with gbp when $TMP != /tmp

2015-10-22 Thread Mattia Rizzolo 
On Wed, Oct 21, 2015 at 04:27:13PM +0200, Andreas Tille wrote:
> > I uploaed 0.219~bpo8+1 2 days ago ^^
> 
> Installed - but I need the `chmod 777` part with this one ...

As the old one.

Thanks for the data point, will look for a fix somehow.
Sadly (?) I don't use libpam-tmp, and there are several other priorities
for me before this particular bug, so I'm sorry you'll have to wait some
time (or provide a patch ;)).

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: Bug#725434: Problems with gbp when $TMP != /tmp

2015-10-21 Thread Andreas Tille 
On Tue, Oct 20, 2015 at 05:16:06PM +, Mattia Rizzolo wrote:
> > pbuilder:
> >   Installed: 0.215+nmu4~bpo8+1
> >   Candidate: 0.215+nmu4~bpo8+1
> 
> well, please `apt update` :)
> I uploaed 0.219~bpo8+1 2 days ago ^^

Installed - but I need the `chmod 777` part with this one ...

Kind regards

  Andreas.


-- 
http://fam-tille.de

Re: Bug#725434: Problems with gbp when $TMP != /tmp

2015-10-20 Thread Jakub Wilk 

* Mattia Rizzolo , 2015-10-20, 16:18:

[ -n "$TMP" -a ! -d "$TMP" ] && mkdir -p "$TMP" || true
[ -n "$TMPDIR" -a ! -d "$TMPDIR" ] && mkdir -p "$TMPDIR" || true


POSIX says that one should use $TMPDIR as a directory for temporary 
files. I you know software that uses $TMP, $TEMP, $TEMPDIR or something 
else for this purpose, please file bugs. :)


umh, something tells me this is not enough: hooks are run as root, 
while the build is not, so the build user would not be able to write 
there. Currently the build username or user ID is not exported to the 
hooks, so the better you can do is to chmod 777 TMPDIR and TMP 
(programs using /tmp should be able to use that securely anyway...)


ITYM 1777. Without sticky bit set, other users could remove your 
temporary files or directories and replace them with their own, which 
would not end well.


--
Jakub Wilk

Re: Bug#725434: Problems with gbp when $TMP != /tmp

2015-10-20 Thread Mattia Rizzolo 
On Tue, Oct 20, 2015 at 07:07:11PM +0200, Andreas Tille wrote:
> > the better you can do is to chmod 777 TMPDIR and TMP (programs using
> > /tmp should be able to use that securely anyway...)
> 
> I can confirm that this works.

ok, thanks.

> > JOOI, can you try with pbuilder from backports and see whether with the
> > changed build place something different happen?
> 
> I forget to say that I'm just doing this:
> 
> $ apt-cache policy pbuilder
> pbuilder:
>   Installed: 0.215+nmu4~bpo8+1
>   Candidate: 0.215+nmu4~bpo8+1

well, please `apt update` :)
I uploaed 0.219~bpo8+1 2 days ago ^^

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: Bug#725434: Problems with gbp when $TMP != /tmp

2015-10-20 Thread Mattia Rizzolo 
On Tue, Oct 20, 2015 at 03:07:55PM +0200, Andreas Tille wrote:
> I'm obviously beaten by bug #725434 when trying to use gbp on a stable
> box with libpam-tmpdir.  I followed the workaround and added a hook
> script:
> 
> $ cat .pbuilder/D10tmp 
> [ -n "$TMP" -a ! -d "$TMP" ] && mkdir -p "$TMP" || true
> [ -n "$TMPDIR" -a ! -d "$TMPDIR" ] && mkdir -p "$TMPDIR" || true

umh, something tells me this is not enough: hooks are run as root, while
the build is not, so the build user would not be able to write there.
Currently the build username or user ID is not exported to the hooks, so
the better you can do is to chmod 777 TMPDIR and TMP (programs using
/tmp should be able to use that securely anyway...)

> The interesting thing here is that while TMP=/tmp/user/0 this
> dir is empty and the packaging is done in /tmp/buildd.  If I do

the directory where the package is kept and the build is done is
hardcoded to /tmp/buildd/ till 0.216, where it was made configurable and
moved to /build/.

JOOI, can you try with pbuilder from backports and see whether with the
changed build place something different happen?


>   # cd /tmp/buildd/python-pyfaidx-0.4.2
>   # dh_builddeb -O--buildsystem=pybuild
> dpkg-deb: building package `python-pyfaidx' in 
> `../python-pyfaidx_0.4.2-0~bpo8+1_all.deb'.
> dpkg-deb: building package `python3-pyfaidx' in 
> `../python3-pyfaidx_0.4.2-0~bpo8+1_all.deb'.
> dpkg-deb: building package `python-pyfaidx-examples' in 
> `../python-pyfaidx-examples_0.4.2-0~bpo8+1_all.deb'.
> 
> this obviously works fine.

yes, because you're building as root, which can write anywhere he likes
:)

> So the problem is definitely created by gbp.

s/gbp/pbuilder/

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Re: Bug#725434: Problems with gbp when $TMP != /tmp

2015-10-20 Thread Andreas Tille 
Hi Mattia,

On Tue, Oct 20, 2015 at 04:18:55PM +, Mattia Rizzolo wrote:
> On Tue, Oct 20, 2015 at 03:07:55PM +0200, Andreas Tille wrote:
> > I'm obviously beaten by bug #725434 when trying to use gbp on a stable
> > box with libpam-tmpdir.  I followed the workaround and added a hook
> > script:
> > 
> > $ cat .pbuilder/D10tmp 
> > [ -n "$TMP" -a ! -d "$TMP" ] && mkdir -p "$TMP" || true
> > [ -n "$TMPDIR" -a ! -d "$TMPDIR" ] && mkdir -p "$TMPDIR" || true
> 
> umh, something tells me this is not enough: hooks are run as root, while
> the build is not, so the build user would not be able to write there.
> Currently the build username or user ID is not exported to the hooks, so
> the better you can do is to chmod 777 TMPDIR and TMP (programs using
> /tmp should be able to use that securely anyway...)

I can confirm that this works.
 
> > The interesting thing here is that while TMP=/tmp/user/0 this
> > dir is empty and the packaging is done in /tmp/buildd.  If I do
> 
> the directory where the package is kept and the build is done is
> hardcoded to /tmp/buildd/ till 0.216, where it was made configurable and
> moved to /build/.
> 
> JOOI, can you try with pbuilder from backports and see whether with the
> changed build place something different happen?

I forget to say that I'm just doing this:

$ apt-cache policy pbuilder
pbuilder:
  Installed: 0.215+nmu4~bpo8+1
  Candidate: 0.215+nmu4~bpo8+1
  Version table:
 *** 0.215+nmu4~bpo8+1 0
501 http://httpredir.debian.org/debian/ jessie-backports/main amd64 
Packages
100 /var/lib/dpkg/status
 0.215+nmu3 0
500 http://httpredir.debian.org/debian/ jessie/main amd64 Packages

> >   # cd /tmp/buildd/python-pyfaidx-0.4.2
> >   # dh_builddeb -O--buildsystem=pybuild
> > dpkg-deb: building package `python-pyfaidx' in 
> > `../python-pyfaidx_0.4.2-0~bpo8+1_all.deb'.
> > dpkg-deb: building package `python3-pyfaidx' in 
> > `../python3-pyfaidx_0.4.2-0~bpo8+1_all.deb'.
> > dpkg-deb: building package `python-pyfaidx-examples' in 
> > `../python-pyfaidx-examples_0.4.2-0~bpo8+1_all.deb'.
> > 
> > this obviously works fine.
> 
> yes, because you're building as root, which can write anywhere he likes
> :)
> 
> > So the problem is definitely created by gbp.
> 
> s/gbp/pbuilder/

If you think so...  At least it is pbuilder only if called by gbp.

Kind regards

  Andreas.


-- 
http://fam-tille.de