From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6622136737823981568 X-Received: by 2002:a19:fc11:: with SMTP id a17mr38455lfi.11.1542017187299; Mon, 12 Nov 2018 02:06:27 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:5b0c:: with SMTP id p12-v6ls626647ljb.19.gmail; Mon, 12 Nov 2018 02:06:26 -0800 (PST) X-Google-Smtp-Source: AJdET5eHHBX/MWelCfHYucDHtjWE289LtBuRIrV5P88I6aSzAQS+qYoJSo3xiroQ2W7R78gZrpAC X-Received: by 2002:a2e:844d:: with SMTP id u13-v6mr43610ljh.17.1542017186856; Mon, 12 Nov 2018 02:06:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542017186; cv=none; d=google.com; s=arc-20160816; b=yZ8hTkHGYdZjONf3a+U7A06MrBZkZh1AyrFpG1lRqPcDeLthfU7KZW7xfVB9EtzM2i 2qcpD2OfiJnuPigo/XSUpne/f3JxbXRGsXgrV9Go/xYQj0EKXxYpIwZex3t/rAe1WqA2 ICTGLF+X4YW/YnZwSAH3wv+QZlEwZ+/7NSgTYXE/kANBPNR/9PvZStf37RuB0Xw3mxhT 1JBTf5xIgpCGXMfa0usT1CP0nulQNgz7CGlOIY4jjSSk5AzTQ8PFFFTdUNDAnn4EcDDv WO6ov+OEiEJ4DgAsnzQBegCntlTQzr24jqXPa/gJt7AewfNAsYdTKRb5numgWL/XniqQ 3mpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=63+NWm09eYblZlFE8xC/H7Ui9flFZwLW2XHUnsUD71s=; b=aRi1XtCoVfOSKSpTc7SmOP0/MfnRvWWb9UNQrvFXeWAyxK0BsiOOmpmsWkExHd/jjK PqpWxaQbrEl20vAjwldVhjc21ZoUutf0Klze5xt7QPu5EENnOcneFb7PxBWdWNpvUpTz cm0FyC21t6dbgswvcqXSAe7tcWXaJTAEwwhhWERgZyn2sg1rk3+N4WmsMnorClwpeIba X283FxvFpNym5mXrBv2l3MLuTXw08nuqRkEPcyt3qMOc7amKtp3czpYC9Yxc1DUS6pEQ DMDsCgPu/qrloDj2CoheBGgBbTgeYHBHou/RSw8hWXHRINMO6ykOUIQjTpudPxQIuPF3 bnIA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id y66-v6si415271lje.0.2018.11.12.02.06.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Nov 2018 02:06:26 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id wACA6Pec028561 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 12 Nov 2018 11:06:25 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.119]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id wACA6Pu4002643; Mon, 12 Nov 2018 11:06:25 +0100 Date: Mon, 12 Nov 2018 11:06:25 +0100 From: Henning Schild To: Jan Kiszka Cc: isar-users Subject: Re: [PATCH] buildchroot: Align UID and GID of builder user with caller Message-ID: <20181112110625.1f55f7a5@md1za8fc.ad001.siemens.net> In-Reply-To: <7acfa387-b037-af81-82a3-748edd97c008@siemens.com> References: <0ec8a678-7297-4ad9-4a9b-49d87f504061@web.de> <20181112101648.051ce0ed@md1za8fc.ad001.siemens.net> <680671b8-2c63-3447-ca15-35431178b266@siemens.com> <20181112104255.464bdf54@md1za8fc.ad001.siemens.net> <7acfa387-b037-af81-82a3-748edd97c008@siemens.com> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: r4wsoLT1tDMu Am Mon, 12 Nov 2018 10:52:22 +0100 schrieb Jan Kiszka : > On 12.11.18 10:42, Henning Schild wrote: > > Am Mon, 12 Nov 2018 10:19:54 +0100 > > schrieb Jan Kiszka : > > > >> On 12.11.18 10:16, [ext] Henning Schild wrote: > >>> I am afraid that this is not correct. The ids you are taking from > >>> the "host" might be taken inside the chroot. As a result creating > >>> the user/group would fail. Chances might be low ... This also > >>> assumes that > >> > >> Really? I thought that these commands are run very early during > >> bootstrap where there are no other users - if not, that would be a > >> bug. > > > > I think the only uid/gid you can really be sure about is 0. 1 could > > already be a regular user on the host, and 1 is "daemon" on a > > current debian ... probably there right after debootstrap. > > Let me check if we can move the ID assignment earlier, to reduce that > risk. I will look into it. Knowing a problem and reducing the risk is not good enough. > > > > 1000 being the first "user" is more a convention than something you > > can rely on for any host. (/etc/login.defs UID_MIN/MAX etc.) > > We are talking about transferring the ID's from the host Debian to > the buildchroot Debian - is there really a realistic risk of friction? Now you are assuming that everyone is using your container ;). While this is helpful i would like to allow anyone to build without docker, given they have a few debian utils on their machine. > If we can't solve that sync problem, we need to revert to running as > root, I'm afraid. The current model is broken. I will send a follow up patch ... maybe today. The reproduction build is already running. Did you see it in any other package than u-boot? Maybe the u-boot recipes are broken? I still do not see how a file formerly owned by root:root can cause problems as 1000:1000 ... but i guess i will understand that once i can reproduce. Henning > Jan >