Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#810248: sbuild: experimental sbuild breaks building in squeeze chroot due to build directory having setgid bit
70 views
Skip to first unread message
Raphaël Hertzog
Jan 7, 2016, 11:40:02 AM1/7/16
to
Package: sbuild
Version: 0.67.0-2.0~exp2
Severity: important
I just tried to build a package for squeeze-lts and got this failure:
[...]
Check dependencies
------------------
Merged Build-Depends: build-essential, fakeroot
Filtered Build-Depends: build-essential, fakeroot
dpkg-deb: control directory has bad permissions 2775 (must be >=0755 and <=0775)
dpkg-deb: building package `sbuild-build-depends-core-dummy' in `/<<BUILDDIR>>/resolver-lxgIE7/apt_archive/sbuild-build-depends-core-dummy.deb'.
Dummy package creation failed
+------------------------------------------------------------------------------+
| Cleanup |
+------------------------------------------------------------------------------+
Purging /<<BUILDDIR>>
Not cleaning session: cloned chroot in use
E: Core build dependencies not satisfied; skipping
Effectively I see this:
$ ls -al /var/lib/sbuild/build/
total 8
drwxrws--- 2 sbuild sbuild 4096 janv. 7 17:27 .
drwxrws--- 4 sbuild sbuild 4096 oct. 26 2014 ..
Same problem happens with build in wheezy. Jessie is fine though.
Newer dpkg cope better with that apparently... but I don't think that the
"setgid" bit is necessary here.
Cheers,
-- System Information:
Debian Release: stretch/sid
APT prefers squeeze-lts
APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sbuild depends on:
ii adduser 3.113+nmu3
ii apt-utils 1.1.10
ii libsbuild-perl 0.67.0-2.0~exp2
ii perl 5.22.1-3
Versions of packages sbuild recommends:
ii debootstrap 1.0.75
ii fakeroot 1.20.2-1
Versions of packages sbuild suggests:
pn deborphan <none>
ii wget 1.17.1-1
-- no debconf information
Version: 0.67.0-2.0~exp2
Severity: important
I just tried to build a package for squeeze-lts and got this failure:
[...]
Check dependencies
------------------
Merged Build-Depends: build-essential, fakeroot
Filtered Build-Depends: build-essential, fakeroot
dpkg-deb: control directory has bad permissions 2775 (must be >=0755 and <=0775)
dpkg-deb: building package `sbuild-build-depends-core-dummy' in `/<<BUILDDIR>>/resolver-lxgIE7/apt_archive/sbuild-build-depends-core-dummy.deb'.
Dummy package creation failed
+------------------------------------------------------------------------------+
| Cleanup |
+------------------------------------------------------------------------------+
Purging /<<BUILDDIR>>
Not cleaning session: cloned chroot in use
E: Core build dependencies not satisfied; skipping
Effectively I see this:
$ ls -al /var/lib/sbuild/build/
total 8
drwxrws--- 2 sbuild sbuild 4096 janv. 7 17:27 .
drwxrws--- 4 sbuild sbuild 4096 oct. 26 2014 ..
Same problem happens with build in wheezy. Jessie is fine though.
Newer dpkg cope better with that apparently... but I don't think that the
"setgid" bit is necessary here.
Cheers,
-- System Information:
Debian Release: stretch/sid
APT prefers squeeze-lts
APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sbuild depends on:
ii adduser 3.113+nmu3
ii apt-utils 1.1.10
ii libsbuild-perl 0.67.0-2.0~exp2
ii perl 5.22.1-3
Versions of packages sbuild recommends:
ii debootstrap 1.0.75
ii fakeroot 1.20.2-1
Versions of packages sbuild suggests:
pn deborphan <none>
ii wget 1.17.1-1
-- no debconf information
Johannes Schauer
Jan 8, 2016, 7:10:03 AM1/8/16
to
Hi,
Quoting Raphaël Hertzog (2016-01-07 17:34:55)
I'm not sure unfortunately...
So when creating the chroot sbuild will execute the following inside the
chroot:
$ mkdir -m 0775 /build
$ chown sbuild:sbuild /build
$ chmod 02770 /build
This will result in build directory having permissions rwxrws---. I do not know
why the suid bit is necessary here and funnily doing the following:
$ chmod 00770 /build
Will not remove the suid bit. I'm quite puzzled about this. The only way I
found to remove the bit is to do:
$ chmod ug=rwx,o=,a-s /build
Though sbuild generally seems to use octal mode. Maybe using mode in chmod
should be dropped in favour of the symbolic mode for easier readability? Also
because apparently octal mode is not able to clear the suid bit for a weird
reason?
Thanks a lot for testing the version in experimental!
cheers, josch
Quoting Raphaël Hertzog (2016-01-07 17:34:55)
So when creating the chroot sbuild will execute the following inside the
chroot:
$ mkdir -m 0775 /build
$ chown sbuild:sbuild /build
$ chmod 02770 /build
This will result in build directory having permissions rwxrws---. I do not know
why the suid bit is necessary here and funnily doing the following:
$ chmod 00770 /build
Will not remove the suid bit. I'm quite puzzled about this. The only way I
found to remove the bit is to do:
$ chmod ug=rwx,o=,a-s /build
Though sbuild generally seems to use octal mode. Maybe using mode in chmod
should be dropped in favour of the symbolic mode for easier readability? Also
because apparently octal mode is not able to clear the suid bit for a weird
reason?
Thanks a lot for testing the version in experimental!
cheers, josch
Johannes Schauer
Jan 8, 2016, 7:20:06 AM1/8/16
to
Hi,
Quoting Johannes Schauer (2016-01-08 13:00:04)
The behaviour also seems to have changed after Wheezy. Since Jessie, octal mode
will be able to clear the suid bit. This is why I didn't stumble across this
problem yet.
Though to be compatible with older chmod implementations I guess sbuild should
switch to using symbolic mode (which is also more readable) instead of octal
mode.
I still do not understand why the suid bit is necessary in the first place but
I trust it's there for a good reason and will leave it there for now until
somebody can explain its reason for existence.
Thanks!
cheers, josch
Quoting Johannes Schauer (2016-01-08 13:00:04)
> This will result in build directory having permissions rwxrws---. I do not know
> why the suid bit is necessary here and funnily doing the following:
>
> $ chmod 00770 /build
>
> Will not remove the suid bit. I'm quite puzzled about this. The only way I
> found to remove the bit is to do:
>
> $ chmod ug=rwx,o=,a-s /build
>
> Though sbuild generally seems to use octal mode. Maybe using mode in chmod
> should be dropped in favour of the symbolic mode for easier readability? Also
> because apparently octal mode is not able to clear the suid bit for a weird
> reason?
it seems this has been discussed in #477358
> why the suid bit is necessary here and funnily doing the following:
>
> $ chmod 00770 /build
>
> Will not remove the suid bit. I'm quite puzzled about this. The only way I
> found to remove the bit is to do:
>
> $ chmod ug=rwx,o=,a-s /build
>
> Though sbuild generally seems to use octal mode. Maybe using mode in chmod
> should be dropped in favour of the symbolic mode for easier readability? Also
> because apparently octal mode is not able to clear the suid bit for a weird
> reason?
The behaviour also seems to have changed after Wheezy. Since Jessie, octal mode
will be able to clear the suid bit. This is why I didn't stumble across this
problem yet.
Though to be compatible with older chmod implementations I guess sbuild should
switch to using symbolic mode (which is also more readable) instead of octal
mode.
I still do not understand why the suid bit is necessary in the first place but
I trust it's there for a good reason and will leave it there for now until
somebody can explain its reason for existence.
Thanks!
cheers, josch
Raphael Hertzog
Jan 8, 2016, 8:40:04 AM1/8/16
to
Hi,
On Fri, 08 Jan 2016, Johannes Schauer wrote:
> > Newer dpkg cope better with that apparently... but I don't think that the
> > "setgid" bit is necessary here.
>
> I'm not sure unfortunately...
Well if the bit had been always there, sbuild would never have worked for
me for a long time... it's a regression so that setgid bit is something
introduced recently or that only started working recently.
> So when creating the chroot sbuild will execute the following inside the
> chroot:
>
> $ mkdir -m 0775 /build
> $ chown sbuild:sbuild /build
> $ chmod 02770 /build
>
> This will result in build directory having permissions rwxrws---. I do not know
> why the suid bit is necessary here and funnily doing the following:
>
> $ chmod 00770 /build
>
> Will not remove the suid bit.
Well, you don't need to remove it if you never add it in the first place.
That said the purpose of that setgid bit is clear, it's a way to ensure
the "sbuild" group is preserved on files extracted in that directory.
I'm not sure there's anything of critical importance here though.
Either you drop that bit from the start or you drop it on the extracted
source package ("chmod -R g-s /build/source-package").
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
On Fri, 08 Jan 2016, Johannes Schauer wrote:
> > Newer dpkg cope better with that apparently... but I don't think that the
> > "setgid" bit is necessary here.
>
> I'm not sure unfortunately...
me for a long time... it's a regression so that setgid bit is something
introduced recently or that only started working recently.
> So when creating the chroot sbuild will execute the following inside the
> chroot:
>
> $ mkdir -m 0775 /build
> $ chown sbuild:sbuild /build
> $ chmod 02770 /build
>
> This will result in build directory having permissions rwxrws---. I do not know
> why the suid bit is necessary here and funnily doing the following:
>
> $ chmod 00770 /build
>
> Will not remove the suid bit.
That said the purpose of that setgid bit is clear, it's a way to ensure
the "sbuild" group is preserved on files extracted in that directory.
I'm not sure there's anything of critical importance here though.
Either you drop that bit from the start or you drop it on the extracted
source package ("chmod -R g-s /build/source-package").
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
0 new messages