Bug#930428: debootstrap should ensure matching _apt uid
Michael Schaller writes:
> At the end of the 'apt' package installation the '_apt' user will be
> created without specifying a fixed uid. This typically results in a
> differing '_apt' uid between the host system and the bootstrapped
> system. The differing '_apt' uid is problematic in case the host
> system has firewall rules specific to the '_apt' user and that
> typically leads to Apt downloads failing inside a chroot.
>
> For more details see:
> * https://lists.debian.org/debian-devel/2019/04/msg00259.html
> * https://robots.org.uk/PbuilderFirewallSetup
>
> Unfortunately this issue isn't easy to detect/troubleshoot,
> particularly firewall rules on the '_apt' uid and that there is an uid
> mismatch inside a chroot. This could be improved a lot if debootstrap
> could avoid this issue if it would ensure that the '_apt' user in the
> bootstrapped system has the same uid as on the host system.
(I don't maintain debootstrap.)
I don't think it is a good idea to require debootstrap to know about
such details.
For limiting network access, I would recommend instead using network
namespaces (to only provide limited network access for all processes)
and/or user namespaces (if filtering for single UIDs is really needed).
These do not require any uids to match between in- and outside.
Ansgar
Reply to: