[Buildd-tools-devel] Bug#477942: problem with users and permissions
martin f krafft
madduck at debian.org
Sat Apr 26 20:25:30 UTC 2008
I forgot that Git does not store permissions apart from the owner's
+x bit, and thus, a Git-managed chroot will not have any
ug+s,o+t bits set, nor will it restore groups. /home and /tmp appear
to be alright, but that's because they're bind-mounted.
madduck at lapse:~$ ls /etc/shadow -l
-rw-r--r-- 1 root root 1028 Apr 26 20:22 /etc/shadow
In particular, /etc/shadow will be world-readable in the chroot.
Since it's bind-mounted or copied from the host system, my proposed
Git backend is useless on multiuser systems until I figure out a way
to restore permissions sensibly.
One idea might be to specify an ACL file created with getfacl -R and
applied with setfacl, but that still might leave
/var/lib/schroot/mount/*/etc/shadow exposed until the chroot is
fully unpacked and the ACL scriptlet run.
I still find the Git backend interesting, but it's not ready for
deployment until I figure out these issues. It might thus be a good
idea to leave this bug open and "unfixed" for the time being.
--
.''`. martin f. krafft <madduck at debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
Url : http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20080427/8ff72621/attachment-0001.pgp
More information about the Buildd-tools-devel
mailing list