Hi, Quoting Paul Wise (2019-07-25 05:38:49) > On Wed, Jul 24, 2019 at 2:42 PM Johannes Schauer wrote: > > Or using the built-in "unshare" backend which uses linux user namespaces: > > > > $ sbuild --chroot-mode=unshare --chroot=debian-unstable.tar > > Do you think it is feasible to use this on some of or the majority of > Debian buildds (most run stretch right now)? There would need to be > exceptions but most packages should build correctly in this scenario. > The main exception would be the Debian installer, IIRC it needs > network to the local apt mirror during the build process. it would certainly be possible. But you'd have to ask somebody who is more knowledgable about the security implications of such a change. There certainly is a reason why #898446 is still open. Furthermore, since buildds currently use the schroot backend, I guess that buildd admins already took all necessary precautions to secure their systems against arbitrary code running as part of the package build process. I do not know what benefit the "unshare" backend would have for buildds. Indeed I rather made the "unshare" backend for personal use. With it, I can manage all my chroots in my home directory without needing sudo to create or update them. In the light of #898446 this might give me a false sense of security but since I'm only ever processing Debian chroots, that should be fine. Using sudo always scares me a bit. When using the schroot backend (which is suid root) I sometimes have funny effects like some mounts still being there and not unmounted after I cancelled a build or some unpacked chroots still lingering around somewhere. Or processes run as root still running somewhere. I then have to use "sudo" to clean this up and I would like to avoid that. With the "unshare" backend, there can be no lingering mounts or processes and I rather "rm -r" in my home directory than somewhere in /. When using "unshare" there will not be any lingering processes because everything is inside its own process group and there will not be any lingering mounts. Or bugs like #833525 in principle should not happen anymore because the unshared user does not even have access to my home directory and thus cannot delete anything that it didn't create itself. Thanks! cheers, josch
Attachment:
signature.asc
Description: signature