From 40f0179a5e74d6d3babbefdeae21fd374be0e090 Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Sun, 18 Mar 2018 01:46:44 -0400 Subject: makechrootpkg: fix verifysource with pacman-git In pacman-git commit d8717a6a9666ec80c8645d190d6f9c7ab73084ac makepkg started checking that the setuid/setgid bit could be removed on the $BUILDDIR in order to prevent this propagating to the packages themselves. Unfortunately, this requires the temporary builddir used during the --verifysource stage of makepkg, to be owned by $makepkg_user which was not the case as it is created as root using mktemp (and given world rwx in addition to the restricted deletion bit.) Obviously makepkg cannot chmod a directory that it does not own. Fix this by making $makepkg_user the owner of that directory, as should have been the case all along. (Giving world rwx is illogical on general principle. The fact that this is a workaround for makepkg demanding these directories be writable even when they are not going to be used for the makepkg options in question, is not justification for being careless.) Signed-off-by: Eli Schwartz --- makechrootpkg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 653847f..8e33499 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -249,7 +249,7 @@ download_sources() { local builddir builddir="$(mktemp -d)" - chmod 1777 "$builddir" + chown "$makepkg_user:$makepkg_user" "$builddir" # Ensure sources are downloaded sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ -- cgit v1.2.3-54-g00ecf From 5713cd629c97c7a12a600a1dd73ad81d87374eb1 Mon Sep 17 00:00:00 2001 From: Evangelos Foutras Date: Sat, 12 May 2018 11:52:18 +0300 Subject: makechrootpkg: add /etc/shadow entry for builduser Without it, sudo 1.8.23 will return an error: sudo: PAM account management error: Authentication service cannot retrieve authentication info --- makechrootpkg.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 8e33499..57231d5 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -176,9 +176,10 @@ prepare_chroot() { # We can't use useradd without chrooting, otherwise it invokes PAM modules # which we might not be able to load (i.e. when building i686 packages on # an x86_64 host). - sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,group} + sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,shadow,group} printf >>"$copydir/etc/group" 'builduser:x:%d:\n' "$builduser_gid" printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid" + printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))" $install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest} -- cgit v1.2.3-54-g00ecf From 172abd9998cffa3622fb8afbd0d241840dfc3946 Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Wed, 16 May 2018 11:00:31 -0400 Subject: Do not assume the makechrootpkg user's groupname is the same as the username chown support "$user:$group" but also "$user:" which infers $group rather than leaving it as root. This looks up the group name in cases where the default group is e.g. "users" and users do not get their own unique groups. Signed-off-by: Eli Schwartz --- makechrootpkg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 57231d5..041e591 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -250,7 +250,7 @@ download_sources() { local builddir builddir="$(mktemp -d)" - chown "$makepkg_user:$makepkg_user" "$builddir" + chown "$makepkg_user:" "$builddir" # Ensure sources are downloaded sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ -- cgit v1.2.3-54-g00ecf From fc371c3c7149f23a6ddcebaf8c95133284a904e8 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 3 Jan 2018 00:47:36 -0500 Subject: makechrootpkg: Put "keyserver-options auto-key-retrieve" in gpg.conf This allows signature verification by `makepkg --verifysource`, `git verify-tag`, and such without requiring the user to manually retrieve the keys first. This is based off of devtools32 commit 009695b (2017-06-27) by Erich Eckner . There are 2 differences from that commit: - In this version, gpg.conf is owned by builduser, not by root - In this version, we don't keep appending duplicate lines if we re-use a chroot --- makechrootpkg.in | 1 + 1 file changed, 1 insertion(+) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 041e591..6105a64 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -187,6 +187,7 @@ prepare_chroot() { [[ -r $USER_HOME/$x ]] || continue $install -m 644 "$USER_HOME/$x" "$copydir/build/$x" done + $install -m644 /dev/stdin "$copydir/build/.gnupg/gpg.conf" <<<'keyserver-options auto-key-retrieve' sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf" for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest \ -- cgit v1.2.3-54-g00ecf From c7f10f1efc4d38672f4a2ae02d71f0f384bc421d Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 15 Feb 2017 15:56:42 -0500 Subject: makechrootpkg: _chrootbuild: Split into _chroot{prepare,build} --- makechrootpkg.in | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 6105a64..0b48d5b 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -204,6 +204,12 @@ EOF # This is a little gross, but this way the script is recreated every time in the # working copy + { + printf '#!/bin/bash\n' + declare -f _chrootprepare + printf '_chrootprepare "$@"\n' + } > "$copydir/chrootprepare" + chmod +x "$copydir/chrootprepare" { printf '#!/bin/bash\n' declare -f _chrootbuild @@ -220,6 +226,20 @@ EOF # These functions aren't run in makechrootpkg, # so no global variables +_chrootprepare() { + # No coredumps + ulimit -c 0 + + # shellcheck source=/dev/null + . /etc/profile + + # Beware, there are some stupid arbitrary rules on how you can + # use "$" in arguments to commands with "sudo -i". ${foo} or + # ${1} is OK, but $foo or $1 isn't. + # https://bugzilla.sudo.ws/show_bug.cgi?id=765 + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@" --nobuild' -bash "$@" +} + _chrootbuild() { # No coredumps ulimit -c 0 @@ -231,7 +251,7 @@ _chrootbuild() { # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. # https://bugzilla.sudo.ws/show_bug.cgi?id=765 - sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@" + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@" --noextract --noprepare' -bash "$@" } _chrootnamcap() { @@ -415,6 +435,11 @@ main() { prepare_chroot "$copydir" "$USER_HOME" "$keepbuilddir" "$run_namcap" if arch-nspawn "$copydir" \ + --bind="$PWD:/startdir" \ + --bind="$SRCDEST:/srcdest" \ + "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ + /chrootprepare "${makepkg_args[@]}" && + arch-nspawn "$copydir" \ --bind="$PWD:/startdir" \ --bind="$SRCDEST:/srcdest" \ "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ -- cgit v1.2.3-54-g00ecf From 527621ed8b8ac2a4b0384baa475070d87415a253 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 15 Feb 2017 14:40:06 -0500 Subject: makechrootpkg, arch-nspawn: Force-enable local '/repo/' repository The change in arch-nspawn is subtle: This was the source of "infamous" "it fails every other time" bug that took me over a year to solve. By having a repository of local packages (rather than simply running `pacman -U`), we are inviting pacman to cache them in `/var/cache/pacman/pkg`. Besides being needless disk writes, this actually causes a real issue. If the package gets rebuilt, pacman will balk, as the file no longer matches the cached signature. So, how do we prevent pacman from caching these local packages? Simple: include the directory they are already in in the pacman.conf:CacheDir list. This will prevent pacman from copying the files to one of the other cache directories. --- arch-nspawn.in | 1 + makechrootpkg.in | 13 +++++++++++++ 2 files changed, 14 insertions(+) (limited to 'makechrootpkg.in') diff --git a/arch-nspawn.in b/arch-nspawn.in index 028191b..c448056 100644 --- a/arch-nspawn.in +++ b/arch-nspawn.in @@ -105,6 +105,7 @@ elif [[ $(cat "$working_dir/.arch-chroot") != "$CHROOT_VERSION" ]]; then fi build_mount_args +cache_dirs+=('/repo/') copy_hostconf eval "$(grep -a '^CARCH=' "$working_dir/etc/makepkg.conf")" diff --git a/makechrootpkg.in b/makechrootpkg.in index 0b48d5b..98cd1b5 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -202,6 +202,19 @@ builduser ALL = NOPASSWD: /usr/bin/pacman EOF chmod 440 "$copydir/etc/sudoers.d/builduser-pacman" + if ! grep -q '^\[repo\]' "$copydir/etc/pacman.conf"; then + local line + line=$(grep -n '^\[' "$copydir/etc/pacman.conf" |grep -Fv ':[options]'|sed 's/:.*//;1q') + local ins='[repo] +SigLevel = Optional TrustAll +Server = file:///repo +' + sed -i "${line}i${ins//$'\n'/\\n}" "$copydir/etc/pacman.conf" + fi + # Avoid having to use `pacman -Sy` to update [repo], as + # networking might be disabled inside of the chroot. + cp "$copydir/repo/repo.db" "$copydir/var/lib/pacman/sync/repo.db" + # This is a little gross, but this way the script is recreated every time in the # working copy { -- cgit v1.2.3-54-g00ecf From eed44fd867a4afdcd406ae6dfc10876a90fb8706 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Thu, 20 Apr 2017 13:49:19 -0400 Subject: makechrootpkg: Also build --allsource packages It also sets SRCEXT="-$pkgarch$SRCEXT", so that two runs of makechrootpkg on different architectures don't overwrite eachothers source packages. --- makechrootpkg.in | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'makechrootpkg.in') diff --git a/makechrootpkg.in b/makechrootpkg.in index 98cd1b5..09c047e 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -260,10 +260,25 @@ _chrootbuild() { # shellcheck source=/dev/null . /etc/profile + local srcext + srcext="$( + # shellcheck source=makepkg-x86_64.conf + . /etc/makepkg.conf || exit + # shellcheck source=PKGBUILD.proto + . /startdir/PKGBUILD || exit + if [ "$arch" = any ]; then + pkgarch=any + else + pkgarch=$CARCH + fi + printf '%s\n' "-$pkgarch$SRCEXT" + )" || return + # Beware, there are some stupid arbitrary rules on how you can # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. # https://bugzilla.sudo.ws/show_bug.cgi?id=765 + sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; SRCEXT="${1}" makepkg "${@:2}" --allsource' -bash "$srcext" "$@" || return sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser bash -c 'cd /startdir; makepkg "$@" --noextract --noprepare' -bash "$@" } -- cgit v1.2.3-54-g00ecf