[buildd-tools-devel] Bug#801141: Bug#801141: Bug#801141: sbuild: Failed to lock chroot: /var/lib/sbuild/unstable-i386.tar.gz: File is not owned by user root

[Johannes Schauer]

Hi,

Quoting Roger Leigh (2015-10-08 09:54:25)
> > The bug could nevertheless be in sbuild though because sbuild is the package
> > with the postinst maintainer script that changes the ownership. I now have to
> > figure out whether this chown call is actually useful or not. In the former
> > case, the wiki page would have to be adapted to not recommend this location.
> 
> The file needs to be owned by root for security reasons: if it was owned 
> by another user, it could be altered and then when unpacked and used 
> these files are then used with full root privileges.

Thank you, that does make sense.

> Regarding /var/lib/sbuild: this is owned by sbuild and used for 
> maintaining its own state.  That's why we do the chown--if we don't then 
> sbuild can't modify its own data.  Bottom line: the chroot tarfiles do 
> not belong under this location--they are not sbuild's concern; put them 
> somewhere else.  E.g. I use /srv/chroot/xxx.

That also makes sense.

As a result I edited https://wiki.debian.org/sbuild to not use /var/lib/sbuild
as the recommended chroot location anymore. Instead I used /srv/chroot/ until
somebody comes up with a better location.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20151010/e555f973/attachment-0002.sig>