Package: schroot
Version: 1.6.5-1.1
Severity: important
Tags: patch
Supplememntary groups are initilized with initgroups before switching to
the chroot. This means that groups are initialize according to the group
database on the host system instead of the chroot. But groups should be
initialized according to the group database inside the chroot.
The attached patch moves the group initialization after the chroot call.
It is done against 1.6.5, but should also apply to 1.7.1 modulo the
changed file location.
But #685512 is a related but orthogonal problem. It might make sense to
also move the pam initialization to after the chroot call to use the pam
configuration inside the chroot. Otherwise setting groups with
pam_groups won't because they get overwritten by initgroups (as it's the
case right now as far as I understand the code). But setting groups with
pam_groups seems like a corner case to me.
Gaudenz
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (50, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages schroot depends on:
ii libboost-filesystem1.54.0 1.54.0-2
ii libboost-iostreams1.54.0 1.54.0-2
ii libboost-program-options1.54.0 1.54.0-2
ii libboost-regex1.54.0 1.54.0-2
ii libboost-system1.54.0 1.54.0-2
ii libc6 2.17-93
ii libgcc1 1:4.8.1-10
ii liblockdev1 1.0.3-1.5+b1
ii libpam0g 1.1.3-9
ii libstdc++6 4.8.1-10
ii libuuid1 2.20.1-5.5
ii schroot-common 1.6.5-1.1
schroot recommends no packages.
Versions of packages schroot suggests:
pn aufs-modules | unionfs-modules <none>
ii btrfs-tools 0.19+20130705-2
ii debootstrap 1.0.53
ii lvm2 2.02.98-6+b1
pn qemu-user-static <none>
-- Configuration Files:
/etc/schroot/sbuild/nssdatabases changed [not included]
-- no debconf information
--- schroot-1.6.5.orig/sbuild/sbuild-session.cc
+++ schroot-1.6.5/sbuild/sbuild-session.cc
@@ -1255,14 +1255,6 @@ session::run_child (sbuild::chroot::ptr&
std::string location(session_chroot->get_path());
log_debug(DEBUG_INFO) << "location=" << location << std::endl;
- /* Set group ID and supplementary groups */
- if (setgid (this->authstat->get_gid()))
- throw error(this->authstat->get_gid(), GROUP_SET, strerror(errno));
- log_debug(DEBUG_NOTICE) << "Set GID=" << this->authstat->get_gid() << std::endl;
- if (initgroups (this->authstat->get_user().c_str(), this->authstat->get_gid()))
- throw error(GROUP_SET_SUP, strerror(errno));
- log_debug(DEBUG_NOTICE) << "Set supplementary groups" << std::endl;
-
/* Set the process execution domain. */
/* Will throw on failure. */
chroot_facet_personality::const_ptr pfac =
@@ -1286,6 +1278,14 @@ session::run_child (sbuild::chroot::ptr&
throw error(location, CHROOT, strerror(errno));
log_debug(DEBUG_NOTICE) << "Changed root to " << location << std::endl;
+ /* Set group ID and supplementary groups */
+ if (setgid (this->authstat->get_gid()))
+ throw error(this->authstat->get_gid(), GROUP_SET, strerror(errno));
+ log_debug(DEBUG_NOTICE) << "Set GID=" << this->authstat->get_gid() << std::endl;
+ if (initgroups (this->authstat->get_user().c_str(), this->authstat->get_gid()))
+ throw error(GROUP_SET_SUP, strerror(errno));
+ log_debug(DEBUG_NOTICE) << "Set supplementary groups" << std::endl;
+
/* Set uid and check we are not still root */
if (setuid (this->authstat->get_uid()))
throw error(this->authstat->get_uid(), USER_SET, strerror(errno));
