Package: sbuild
Version: 0.78.0-2
Severity: normal
I'm trying to setup sbuild so it builds under a different user by
default. The sbuild.conf(5) manpage says:
BUILD_USER
STRING type. Username used for running dpkg-buildpackage. By
default the
user running sbuild is used within the chroot as well but that
might al‐
low a process from within the chroot to break out of the chroot
by at‐
taching to a process running outside the chroot with eg. gdb and
then be‐
coming root inside the chroot through schroot and thus be able
to leave
the chroot.
build_user = ...;
I'm assuming the example code there is a typo and should be really:
$build_user = 'sbuild';
... so I add the above to my `.sbuildrc`. Then I try a build and it
fails early in the process:
E: read_command failed to execute dpkg
Use of uninitialized value $chroot_arch in scalar chomp at /usr/share/perl5/Sbui
ld/Build.pm line 3024.
The "sbuild" user exists in the chroot:
$ schroot -c unstable-amd64-sbuild --directory / id sbuild
uid=129(sbuild) gid=138(sbuild) groups=138(sbuild)
I have tried to look at the line pointed at by the error message:
chomp(my $chroot_arch = $self->get('Session')->read_command(
{ COMMAND => ['dpkg', '--print-architecture'],
USER => $self->get_conf('BUILD_USER'),
PRIORITY => 0,
DIR => '/' }));
.. but to figure out what the problem is, you need to dig into
`read_command`, which is quite a rabbit hole. It calls
Chroot::read_command which calls pipe_command, which calls
pipe_command_internal, which calls exec_command, and *then* we hit the
schroot specific code with get_command_internal, and *finally*
_get_exec_argv, which shows the user is passed to the `schroot -u`
argument.
When trying to reproduce the problem outside of sbuild, I therefore
do:
$ schroot -c unstable-amd64-sbuild --directory / -u sbuild id
[schroot] password for sbuild:
I think that's where the problem lies: stdin is probably closed which
makes the command fail. Even if it would be open, the process would
just hang asking for a password, which doesn't exist (set to '*' in
/etc/shadow).
If I run schroot as root, that works however:
$ sudo schroot -c unstable-amd64-sbuild --directory / -u sbuild id
uid=129(sbuild) gid=138(sbuild) groups=138(sbuild)
For what that's worth, the caller is in the `sbuild` group:
$ grep sbuild /etc/group
sbuild:x:138:anarcat
The schroot has that configuration:
[unstable-amd64-sbuild]
description=Debian unstable/amd64 autobuilder
groups=root,sbuild
root-groups=root,sbuild
profile=sbuild
type=directory
directory=/home/chroot/unstable-amd64-sbuild
union-type=overlay
So in *theory* it should allow users in the sbuild group to run
commands without entering a password.
Am I missing something?
The full build log is attached.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sbuild depends on:
ii adduser 3.118
ii libsbuild-perl 0.78.0-2
ii perl 5.28.1-3
Versions of packages sbuild recommends:
ii autopkgtest 5.8
ii debootstrap 1.0.114
ii schroot 1.6.10-6+b1
Versions of packages sbuild suggests:
ii deborphan 1.7.31
ii e2fsprogs 1.44.5-1
ii kmod 25-2
ii wget 1.20.1-1
-- no debconf information
sbuild (Debian sbuild) 0.78.0 (09 January 2019) on curie.anarc.at
+==============================================================================+
| undertime 1.7.0 (amd64) Thu, 24 Jan 2019 22:39:05 +0000 |
+==============================================================================+
Package: undertime
Version: 1.7.0
Source Version: 1.7.0
Distribution: unstable
Machine Architecture: amd64
Host Architecture: amd64
Build Architecture: amd64
Build Type: full
E: read_command failed to execute dpkg
Use of uninitialized value $chroot_arch in scalar chomp at
/usr/share/perl5/Sbuild/Build.pm line 3024.
+------------------------------------------------------------------------------+
| Post Build Failed Commands |
+------------------------------------------------------------------------------+
/usr/bin/notify-send "Build completed" "Build of
/home/anarcat/src/undertime_1.7.0.dsc on %SBUILD_DISTRIBUTION-amd64 completed."
--------------------------------------------------------------------------------------------------------------------------------
I: Finished running '/usr/bin/notify-send "Build completed" "Build of
/home/anarcat/src/undertime_1.7.0.dsc on %SBUILD_DISTRIBUTION-amd64
completed."'.
Finished processing commands.
--------------------------------------------------------------------------------
E: Can't determine architecture of chroot:
+------------------------------------------------------------------------------+
| Summary |
+------------------------------------------------------------------------------+
Build Architecture: amd64
Build Type: full
Build-Space: 0
Build-Time: 0
Distribution: unstable
Fail-Stage: chroot-arch
Host Architecture: amd64
Install-Time: 0
Job: /home/anarcat/src/undertime_1.7.0.dsc
Machine Architecture: amd64
Package: undertime
Package-Time: 0
Source-Version: 1.7.0
Space: 0
Status: failed
Version: 1.7.0
--------------------------------------------------------------------------------
Finished at 2019-01-24T22:39:05Z
Build needed 00:00:00, 0k disk space
