[buildd-tools-devel] Bug#599518: Bug#599518: Bug#599518: schroot: feature request: ssh-like -X option
Roger Leigh
rleigh at codelibre.net
Sun Jan 22 22:32:26 UTC 2012
On Wed, Nov 23, 2011 at 04:43:34PM +0100, Luca Capello wrote:
> Attached a simple and "raw" schroot-setup script that automates the
> Xauthority creation in the schroot: feel free to include it in the docs'
> contrib/ folder, adapting it to your feelings. I tested it with /home
> mounted or not.
This definitely looks useful for setups where you are running
as a different user inside the chroot. Looking at your script,
it's making some assumptions which would be fairly easy to
correct.
HOME_AUTH_USER="/home/${AUTH_USER}"
"getent passwd "${AUTH_USER}" | cut -d : -f 6"
would be a solution here. It still doesn't cope with $HOME
being set, but it doesn't assume the home directory is in
/home--it gets the real one from the passwd file.
This also avoids the need to check if /home is bind mounted--
we can just check if the source Xauthority is visible inside
the chroot. Also note that the AUTH_HOME is the home directory
of the user *inside* the chroot, not the outside. On the
outside, this is the home directory of the AUTH_RUSER (remote user
in PAM terms). So on the host you must only look at the Xauthority
in the home directory of the AUTH_RUSER, or else you'd have the
ability to steal the credentials of that user.
I would also skip the creation of a missing home directory inside
the chroot. Just warn and exit successfully--this will be
handled later. Given the assumptions about the naming of the
home directory, this is dangerous.
I would suggest limiting this to a simple xauth call + chown
(including the group, AUTH_GID), and just warn if either fail.
I'll be happy to include this in schroot if you could possibly
address the above points, which will make it more secure and
robust.
Many thanks,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
More information about the Buildd-tools-devel
mailing list