[buildd-tools-devel] Bug#586195: Bug#586195: 20nssdatabases checks for file equivalence

Roger Leigh rleigh at codelibre.net
Sat Jun 26 22:36:12 UTC 2010

On Thu, Jun 17, 2010 at 11:49:47AM +0200, Bastian Blank wrote:
> Package: schroot
> Version: 1.4.4-1
> Severity: normal
> File: /etc/schroot/setup.d/20nssdatabases
> 20nssdatabases checks for file equivalence and don't does anything in
> thie case. However nss may include more modules then just "files" and
> will fail to produce a usefull result in this case.

This is very true.

However, we are checking the file device number and inode number, not
the file contents.  These should never be the same both inside and
outside the chroot.  If they are, something is very badly wrong:

For example, 20nssdatabases does the equivalent of

  getent passwd > $chroot/etc/passwd

Now, if NSS is set up to use "files" for passwd on the host, you've
just deleted your system passwd database, since the
'> $chroot/etc/passwd' will cause the shell to truncate /etc/passwd
inside the chroot prior to running getent, which then attempt to
read an empty file: the data is gone.

I've checked for btrfs filesystems, and each subvolume has a separate
device number, so I can't see a normal situation where the system
databases would have the same device/inode combination on the host
system and inside the chroot.  In the situation where they were
deliberately bind mounted, the script would previously blank the
files due to the above situation, and this check was added as a
sanity check to prevent that occurring.

I agree that due to how the sysadmin set up the NSS that the host
files may not be useful, but in this case "getent" will still
return the contents of whatever NSS databases you are using--the
check is still just a sanity check to prevent disaster.

I hope this makes sense.  If there's something I'm overlooking and
misunderstood with your report, please do let me know.  Is your
system set up in such a way that it's preventing the databases
being copied?  If so, some more details about your setup would be
very helpful.


  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20100626/ae9dbdb8/attachment.pgp>

More information about the Buildd-tools-devel mailing list