[buildd-tools-devel] Bug#599518: Bug#599518: Bug#599518: schroot: feature request: ssh-like -X option

Roger Leigh rleigh at codelibre.net
Mon May 28 23:14:08 UTC 2012 

On Sun, Jan 22, 2012 at 10:32:26PM +0000, Roger Leigh wrote:
> On Wed, Nov 23, 2011 at 04:43:34PM +0100, Luca Capello wrote:
> > Attached a simple and "raw" schroot-setup script that automates the
> > Xauthority creation in the schroot: feel free to include it in the docs'
> > contrib/ folder, adapting it to your feelings.  I tested it with /home
> > mounted or not.
> 
> This definitely looks useful for setups where you are running
> as a different user inside the chroot.  Looking at your script,
> it's making some assumptions which would be fairly easy to
> correct.
> 
>   HOME_AUTH_USER="/home/${AUTH_USER}"
> 
> "getent passwd "${AUTH_USER}" | cut -d : -f 6"
> would be a solution here.  It still doesn't cope with $HOME
> being set, but it doesn't assume the home directory is in
> /home--it gets the real one from the passwd file.
> 
> This also avoids the need to check if /home is bind mounted--
> we can just check if the source Xauthority is visible inside
> the chroot.  Also note that the AUTH_HOME is the home directory
> of the user *inside* the chroot, not the outside.  On the
> outside, this is the home directory of the AUTH_RUSER (remote user
> in PAM terms).  So on the host you must only look at the Xauthority
> in the home directory of the AUTH_RUSER, or else you'd have the
> ability to steal the credentials of that user.
> 
> I would also skip the creation of a missing home directory inside
> the chroot.  Just warn and exit successfully--this will be
> handled later.  Given the assumptions about the naming of the
> home directory, this is dangerous.
> 
> I would suggest limiting this to a simple xauth call + chown
> (including the group, AUTH_GID), and just warn if either fail.
> 
> I'll be happy to include this in schroot if you could possibly
> address the above points, which will make it more secure and
> robust.

Hi,

Just a reminder that I would be very happy to include this in schroot
for wheezy.  I do, however, need the above points addressing in order
for the script to be safe and robust enough for inclusion.  If you
have the time to update this in the next week or so, I'll be happy to
review and add it.

The latest version of schroot is in git on alioth, and the lastest
development snapshot is here:
  http://people.debian.org/~rleigh/schroot/


Many thanks,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

More information about the Buildd-tools-devel mailing list