-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design for use with linux-user-chroot #8
Comments
Also worth linking to https://github.com/wrpseudo/pseudo which is a maintained alternative approach for non-root RPM operation. |
There is also http://proot.me/ that uses ptrace instead of LD_PRELOAD (like pseudo or fakeroot). |
Someday we'll enhance RPM; see rpm-software-management/rpm#8 But anyways right now at least a few people have tried, and we get all the way past downloading packages and then bomb out when doing the actual transaction with a useless error message. So let's be up front about this.
On 07/23/2015 10:07 PM, Colin Walters wrote:
While you caught some of the uses of chroot this list is far from Florian
Red Hat GmbH, http://www.de.redhat.com/ Registered seat: Grasbrunn, |
Someday we'll enhance RPM; see rpm-software-management/rpm#8 But anyways right now at least a few people have tried, and we get all the way past downloading packages and then bomb out when doing the actual transaction with a useless error message. So let's be up front about this.
Someday we'll enhance RPM; see rpm-software-management/rpm#8 But anyways right now at least a few people have tried, and we get all the way past downloading packages and then bomb out when doing the actual transaction with a useless error message. So let's be up front about this.
Moved issue to http://rpm.org/ticket/896 as we are closing the github issue tracker for now. |
A security issue today with RPM-based buildsystems is that while it's common for the actual compilation process (
make
or whatever) to run as non-root, the buildroot creation still requires root.I maintain: https://git.gnome.org/browse/linux-user-chroot/tree/README?id=1ab0cc3bc401c8e5578dd1da05aed502544e5183
which is intended to address this - and works successfully for the GNOME Continuous buildsystem.
However, that isn't using RPM.
I briefly looked at what it would take to use
linux-user-chroot
with RPM. This would mean not having the primary process callchroot()
directly, but instead only dochroot /path/to/installroot /path/to/script
when calling out to%post
scripts - and that code path could then optionally uselinux-user-chroot
instead of plainchroot
.However, RPM currently relies on the
chroot()
system call to affect where it places files - so it would have to learn to either prepend the installroot when writing out content, or useopenat()
and friends with a directory fd for the install root.Another subtle but important one: RPM presently relies on
chroot()
affecting NSS lookups pulling uid/gid mappings from the target/etc/passwd
and such. See: http://lists.rpm.org/pipermail/rpm-maint/2014-January/003656.html This one would be annoying to fix - may need custom NSS code.The text was updated successfully, but these errors were encountered: