From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6622136737823981568
X-Received: by 2002:adf:fa82:: with SMTP id h2-v6mr48665wrr.18.1542015776493;
        Mon, 12 Nov 2018 01:42:56 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:adf:b698:: with SMTP id j24-v6ls2358192wre.16.gmail; Mon, 12
 Nov 2018 01:42:56 -0800 (PST)
X-Google-Smtp-Source: AJdET5dcG4lJcMfUKd3rn4P/MYmEZhvgG2FgAeYwAjOMRlntj6GUA+fPNp7zHINkx+EUjo5cvPQo
X-Received: by 2002:adf:f389:: with SMTP id m9-v6mr44692wro.11.1542015776136;
        Mon, 12 Nov 2018 01:42:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542015776; cv=none;
        d=google.com; s=arc-20160816;
        b=0l8LV/KN5jFhdGqm08ckrVt544BvJxifQaQJn1mqzdzaTwDhlIGdlzQ4GxoX+fd7Sv
         mJ3rA/9qjXu7n51rAJVWYJzu42wC2RWNNuWZ2DP6tgueOJu8DMXyi1syE9LCKJZb36jB
         bMYcZ8tqkGz8ZOZyIqSPJvaej0WGmHUOcY78E4Eucw6B3J4m4c2ZGOU0yr7vLDiLBH7t
         6L3ZAlWRT72UB9Oko04DBijfdEOCjqonoa/PQkZR1GbvkhA440zsKjR8lGSZroRhwoJN
         4V+yWBPaFXJ434OaK9aWOh44DvYO+4DEQbRsw2lctATnHV7v5Up0xQveLtoA61Pl1e7p
         Aw/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=Jpu+oR9LrUyIGGtJhOgaBPOgjE7JRGTA+ZnthL0/KwI=;
        b=nX8OUndAPEemda848fY+zPesmLpcRG4sblY6B/rA7Bmq1r29Qg9OvRAVfrdSZBvvdI
         cPK50otzxfcoxwBfnm3uAVVpGig5ykKYa2+iwyBhaE198mrI0AXyE8hRwlgSfadV7CvD
         0q3DrFIzRUG7TQdskhLFSwZ0hqUzr0MOe05Uj9+AcUnZyW2nUXjwU8qA3Fbh/1vvRJh/
         /OHxdt1i7HEmS+uII6NOsxnyGl9ejUdNJPQOaZpAymBF2XG7qc6BWVIh3J5pkwbjRypG
         s+2d3WdyXV04SZZj35/uE5qp/0gLyPr2jckBbjKQ0m8pza+3rmOEkJfqf7JIMq11jwWV
         /Mhw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40])
        by gmr-mx.google.com with ESMTPS id v6-v6si533826wrn.0.2018.11.12.01.42.56
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 12 Nov 2018 01:42:56 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id wAC9gtPS012663
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Mon, 12 Nov 2018 10:42:55 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.119])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id wAC9gtfh019918;
	Mon, 12 Nov 2018 10:42:55 +0100
Date: Mon, 12 Nov 2018 10:42:55 +0100
From: Henning Schild <henning.schild@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Jan Kiszka <jan.kiszka@web.de>, isar-users <isar-users@googlegroups.com>
Subject: Re: [PATCH] buildchroot: Align UID and GID of builder user with
 caller
Message-ID: <20181112104255.464bdf54@md1za8fc.ad001.siemens.net>
In-Reply-To: <680671b8-2c63-3447-ca15-35431178b266@siemens.com>
References: <0ec8a678-7297-4ad9-4a9b-49d87f504061@web.de>
	<20181112101648.051ce0ed@md1za8fc.ad001.siemens.net>
	<680671b8-2c63-3447-ca15-35431178b266@siemens.com>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: Ne0sAZ4FTEii

Am Mon, 12 Nov 2018 10:19:54 +0100
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 12.11.18 10:16, [ext] Henning Schild wrote:
> > I am afraid that this is not correct. The ids you are taking from
> > the "host" might be taken inside the chroot. As a result creating
> > the user/group would fail. Chances might be low ... This also
> > assumes that  
> 
> Really? I thought that these commands are run very early during
> bootstrap where there are no other users - if not, that would be a
> bug.

I think the only uid/gid you can really be sure about is 0. 1 could
already be a regular user on the host, and 1 is "daemon" on a current
debian ... probably there right after debootstrap.

1000 being the first "user" is more a convention than something you can
rely on for any host. (/etc/login.defs UID_MIN/MAX etc.)

Henning

> Jan
> 
> > ids/hosts will never change and breaks migrating a build to another
> > host.
> > If the host fails to remove/overwrite the files, we will have to use
> > sudo on the host.
> > 
> > Henning
> > 
> > Am Sat, 10 Nov 2018 08:52:38 +0100
> > schrieb Jan Kiszka <jan.kiszka@web.de>:
> >   
> >> From: Jan Kiszka <jan.kiszka@siemens.com>
> >>
> >> This fixes EPERM on rebuild and also some clean builds: We have to
> >> align the IDs of the builder user with the user in the host
> >> environment. Otherwise, files and directories can become
> >> unaccessible during the build.
> >>
> >> Fixes: be291cd991bd ("buildchroot: build debian packages as
> >> "builder" not "root"") Signed-off-by: Jan Kiszka
> >> <jan.kiszka@siemens.com> ---
> >>   meta/recipes-devtools/buildchroot/buildchroot.inc       | 4 +++-
> >>   meta/recipes-devtools/buildchroot/files/configscript.sh | 4 ++--
> >>   2 files changed, 5 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.inc
> >> b/meta/recipes-devtools/buildchroot/buildchroot.inc index
> >> 7dd909e..2c44db9 100644 ---
> >> a/meta/recipes-devtools/buildchroot/buildchroot.inc +++
> >> b/meta/recipes-devtools/buildchroot/buildchroot.inc @@ -36,7 +36,9
> >> @@ do_build() {
> >>       # Configure root filesystem
> >>       sudo install -m 755 ${WORKDIR}/configscript.sh
> >> ${BUILDCHROOT_DIR}
> >> -    sudo chroot ${BUILDCHROOT_DIR} /configscript.sh
> >> +    USER_ID=$(id -u)
> >> +    GROUP_ID=$(id -g)
> >> +    sudo chroot ${BUILDCHROOT_DIR} /configscript.sh $USER_ID
> >> $GROUP_ID
> >>       sudo mount --bind ${DL_DIR} ${BUILDCHROOT_DIR}/downloads
> >>   }
> >> diff --git
> >> a/meta/recipes-devtools/buildchroot/files/configscript.sh
> >> b/meta/recipes-devtools/buildchroot/files/configscript.sh index
> >> 30660e7..7e49385 100644 ---
> >> a/meta/recipes-devtools/buildchroot/files/configscript.sh +++
> >> b/meta/recipes-devtools/buildchroot/files/configscript.sh @@ -10,6
> >> +10,6 @@ locales locales/locales_to_be_generated multiselect
> >> en_US.UTF-8 UTF-8 locales locales/default_environment_locale
> >> select en_US.UTF-8 END -addgroup --quiet --system builder
> >> -useradd --system --gid builder --no-create-home
> >> --home /home/builder --no-user-group --comment "Isar buildchroot
> >> build user" builder +addgroup --quiet --system builder --gid $2
> >> +useradd --system --uid $1 --gid builder --no-create-home
> >> --home /home/builder --no-user-group --comment "Isar buildchroot
> >> build user" builder chown -R builder:builder /home/builder  
> >   
>