From a78bdb841dbe7839c8afd7184d821ed42dd334cc Mon Sep 17 00:00:00 2001 From: Dave Reisner Date: Sun, 21 Sep 2014 15:03:28 -0400 Subject: makechrootpkg: build as same UID as invoker Changing UID to that of 'nobody' is arbitrary at best, and an information leak at worst. Let's just drop back to the same UID of the invoker. --- makechrootpkg.in | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 8bc18a4..b82c2a2 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -234,7 +234,13 @@ prepare_chroot() { echo 'SRCDEST="/srcdest"' >> "$copydir/etc/makepkg.conf" fi - chown -R nobody "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir} + builduser_uid=${SUDO_UID:-$UID} + + # We can't use useradd without chrooting, otherwise it invokes PAM modules + # which we might not be able to load (i.e. when building i686 packages on + # an x86_64 host). + printf 'builduser:x:%d:100:builduser:/:/usr/bin/nologin\n' "$builduser_uid" >>"$copydir/etc/passwd" + chown -R "$builduser_uid" "$copydir"/{build,pkgdest,srcpkgdest,logdest,srcdest,startdir} if [[ -n $MAKEFLAGS ]]; then sed -i '/^MAKEFLAGS=/d' "$copydir/etc/makepkg.conf" @@ -246,12 +252,12 @@ prepare_chroot() { echo "PACKAGER='${PACKAGER}'" >> "$copydir/etc/makepkg.conf" fi - if [[ ! -f $copydir/etc/sudoers.d/nobody-pacman ]]; then - cat > "$copydir/etc/sudoers.d/nobody-pacman" < "$copydir/etc/sudoers.d/builduser-pacman" <&1 | tee "/logdest/${pkgfile##*/}-namcap.log" + sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log" done fi -- cgit v1.2.3-70-g09d2