poudriere icon indicating copy to clipboard operation
poudriere copied to clipboard

Published 20 hours ago verified publisher icon freebsd

3.4.0 regression: -i runs as NON_ROOT user

Open leres opened this issue 1 year ago • 1 comments

Prerequisites

  • [y ] Have you checked for an existing issue describing your problem?
  • [y ] Are you running the latest version?
  • [y ] Is your ports tree recent?
  • [y ] Is your FreeBSD Host on a supported release?

Describe the bug

Sometimes when I want to do testing on a port I fire up an interactive poudriere jail. When I did this with 3.3.7_4, I would get a root shell in the jail. With 3.4.0 I find I the user is nobody.

I noticed this because when attempting to build a port I get a ton of chown errors, e.g:

nobody@zinc:/usr/ports/ports-mgmt/pkg % make
===>  License BSD2CLAUSE accepted by the user
===> Fetching all distfiles required by pkg-1.20.8 for building
===>  Extracting for pkg-1.20.8
===>  License BSD2CLAUSE accepted by the user
===> Fetching all distfiles required by pkg-1.20.8 for building
=> SHA256 Checksum OK for freebsd-pkg-1.20.8_GH0.tar.gz.
chown: /wrkdirs/usr/ports/ports-mgmt/pkg/work/pkg-1.20.8/docs/pkg-add.8: Operation not permitted
chown: /wrkdirs/usr/ports/ports-mgmt/pkg/work/pkg-1.20.8/docs/pkg-rquery.8: Operation not permitted
[...]
chown: /wrkdirs/usr/ports/ports-mgmt/pkg/work/pkg-1.20.8: Operation not permitted
chown: /wrkdirs/usr/ports/ports-mgmt/pkg/work: Operation not permitted
*** Error code 1

Looking at bsd.port.mk I see:

        @if [ ${UID} = 0 ]; then \
                ${CHMOD} -R ug-s ${WRKDIR}; \
                ${CHOWN} -R 0:0 ${WRKDIR}; \
        fi

And indeed UID is (unexpectly) 0:

nobody@zinc:/usr/ports/ports-mgmt/pkg % make -V UID
0

So that's a problem as well.

How to reproduce

zinc 1 # poudriere bulk -i -j 13release -p current ports-mgmt/pkg
nobody@zinc:/usr/ports/ports-mgmt/pkg % ps ut
USER     PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
root   13864  0.0  0.0 13680 2964  1  SJ   21:39   0:00.00 login [pam] (login)
root   13865  0.0  0.0 13656 2972  1  SJ   21:39   0:00.01 su -m nobody -c csh
nobody 13869  0.0  0.0 13936 3196  1  SJ   21:39   0:00.00 _su -m -c csh (csh)
nobody 13871  0.0  0.0 13936 3836  1  SJ   21:39   0:00.01 csh
nobody 14094  0.0  0.0 13444 2852  1  R+J  21:39   0:00.00 ps ut
nobody@zinc:/usr/ports/ports-mgmt/pkg %

Environment

  • Host OS [13.2 amd64]:
  • Jail OS [13.2 amd64]:
  • Browser: [firefox]:
  • Poudriere Version [3.4.0]:
  • Ports branch and revision [main g5ddc587c32d]:

Additional context

My poudriere.conf is pretty generic and I can add PORTBUILD_USER=root and PORTBUILD_GROUP=wheel to get the old (root shell) behavior.

leres avatar Dec 19 '23 21:12 leres

I see now that poudriere.conf.sample claims the default user/uid is nobody/65534 but when I run a (non-interactive) poudriere bulk I can see it runs as root.

It seems the intent is for bulk to run as a non-root user but the user is set to root for non-interactive bulk builds and set to nobody for interactive bulk. And UID is always defined in make as 0.

nobody@zinc:/usr/ports/ports-mgmt/pkg % make -V .MAKE.UID
65534

leres avatar Jan 14 '24 21:01 leres