From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 21:39:55 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f55.google.com (mail-oa1-f55.google.com [209.85.160.55]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PJdJFf007318 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 21:39:19 +0200 Received: by mail-oa1-f55.google.com with SMTP id 586e51a60fabf-2eb1763cb08sf226441fac.3 for ; Wed, 25 Jun 2025 12:39:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750880353; cv=pass; d=google.com; s=arc-20240605; b=InKJLvcpWVexgVGiy7Ebsn8mc1FqBH7TcudAsSs3jQMmwnfM2blV8SRfL6NrjJtPYp QSLNeEiFiY+tSFeWSaSrFbmV/Oom2CzIQ8WMgkHXIPIU1oNwJWQpifPOuil8ZtgzVJuF SbREIraYAn+BjIJWJz6NSrsEFTLqCnyAuo4IMR8+j8Br6FeX35ueHQwHQlsridLSrkxB 7GH4XyZbQLZB+29/wh1T5jYfXpavsUn4wR5UqY7WiwjWN0OHLNRf0VGzc4dXOcRxhSFQ 9+ZNYrHgPAhq2wP9STGOV09ZJxB5b/jtS+5stFMpQerKq8pvwLoAD9BPvPTd2g5lwsCF msxw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=CneqdDxyBk8sGUcp1HDncRDWJiXE/o4BGkXSmc4YqZA=; fh=76/Tc/D7WJqUehoIcEhsNqL3WTUSzsnxOMTWqinBuoE=; b=YTwSCPBi4DB46MmuzVzCIeCzfCTqeF7XQFrbuhaNpbmQpSNYyHYbOZ3EIL1TXHXVdP pE/PHiA036KVsavgTC0ZoUQH/kKKwwD0LZYmeGTGiDyp40l//wr26IN5aqTkmyCuzQyF OQ/X8zaO3UsHB2Z6t5e3X7FOQNdjuOzuGyn7iox5aqYHeGXcREAk48Pc/Ao8vqH7sTMk VLLSsCQCF7Cyg6K5F/Q/mgR21wp01vq50UHF0DBOnwrZGMQiiWCgnk61e+zpyPH1Cm7X za0w0nIMklSxxedEEulr1RbYLLrNebOCQmqbdS6cI+AZzctTXEs3t/Xq9F4XovD10wez uc5A==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Q3F0HPEL; spf=pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1212295-20250625193911897dc41b5d7bdd0a3f-QwMh_Q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750880353; x=1751485153; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=CneqdDxyBk8sGUcp1HDncRDWJiXE/o4BGkXSmc4YqZA=; b=Q8D09pGkJquCs8H26btrEVOuXUIpSGLCgSQO0FHyDxHycM7u9AdaisF9WGaZV5VXaA WVuTuHxNhD0kRKnCUcqIQ4HHOCmW2LwiUFgbVWtx+HYidCtX47gtAnBwhGl2x2V1EP99 RA/9E1BSczHsEjcGumkULD08w56/oMg20/espNBGFo35rX+egBX358z3EFS7rhwgbdth VOaEKkvLPYPQgcoPZ4bf9L3m9fImmesiEFdIXOhX2JkUpigcm5QLx0OLegxCU8RAHEEs Wmnorwq/ww/afzNz1RRdxTg+cUB27dq0F3xVLKW42iduQhb/8t3WWuh4wNbzkDZOR0RZ Z6ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750880353; x=1751485153; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CneqdDxyBk8sGUcp1HDncRDWJiXE/o4BGkXSmc4YqZA=; b=hD5s4pc63rFjONfJx+gMoXwNO43YPldORceWf79Oe2bPWRKkafcIzRY6GNl307H3yy J6j+KpGcUFsqhJIMmv3q/MnCBMwaGENEs9NcihtdB7Wn1MM1TUl/PnNmGIDjAcv/sGMx YGJM3ZXSnwzOqUZjS/51PWw7AGnsrFvNr8vVr3MkF6y1zh679gpoFZQcgrEIeQiACEap vQAEHPL7i1LI2Jg1JTKHax+tZOxC5iJ6y8nkhAFn8lFvVBwiaKxqOn8wvLrd8myekdLV k5O1VCN1yk4M/llv++uG2/JQ9u4rkYU+4MgrXat871YEJybowdGByASw+j68AdgQ22z1 dasA== X-Forwarded-Encrypted: i=2; AJvYcCWCMxK7lrLk/1OWmXoAMiRCzLbEff3Lb/NT8YOsv/Abz6ibGIgtt3+TA+qAUiG4iFnXhXst@ilbers.de X-Gm-Message-State: AOJu0YwnDjZUt9gg6Tp5CL//L/oFkRixmcK5coLIUv9Bi1czS3XIL6BJ 1Km9gj9Hb/m+NDHw1drWXFr6O+FKFMT1f2VsdaM0M1FQuBNnTvMAjvNv X-Google-Smtp-Source: AGHT+IEKi7IyJ/EsIUU3ouZQ3q8CYTbxBP/145gPO7BmOYh0kdpXWqL/KLNOh5Fl2QBsIWGjb466mQ== X-Received: by 2002:a05:6870:14d2:b0:29e:74a0:e03f with SMTP id 586e51a60fabf-2efb28cff1amr3132342fac.24.1750880353498; Wed, 25 Jun 2025 12:39:13 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZen1B0Dywi/e3erzdIudia3TtPUezLHgIcl7VBNXfipFA== Received: by 2002:a05:6870:8895:b0:2ef:a100:ef09 with SMTP id 586e51a60fabf-2efcf1e218fls103610fac.1.-pod-prod-05-us; Wed, 25 Jun 2025 12:39:12 -0700 (PDT) X-Received: by 2002:a05:6870:523:b0:2c2:489d:887 with SMTP id 586e51a60fabf-2efb2785ed8mr2772898fac.17.1750880352470; Wed, 25 Jun 2025 12:39:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750880352; cv=none; d=google.com; s=arc-20240605; b=OzpwfLig9p6l0WPvUKt4Guoc6b+MZR1o+j5suSjwzFSNZKXAPaa4tzV1m3IXSYVu1B 5VRRTwFpEEOvaKnx1RMpnk+MBVWcZ+JL8B7I15FcuoP0bE3eeGlCfavYMJaOrZIXxd+D n0nPh6WUl15RFYukUUkuTP1O6IHkFVROa9TVhgQHutSITVn0lbT8/04Zkv8DNJ7LEpEv vCiSpk+I+1DMdw+X7cv324O/4ExVUGaRFLmmIaYZBrxdMllDdwOoi1Hz18i3sDb3LC7x ghrd01hgsb1hEU77M0LMTAgcoJvt/3x5u616hoJ6uxCy3FmMrBfsR/AXeCWq6BfzE9wx cSmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=mvTyPKqF/HhvlcQg1J4QaDOEhGPsC7k77eftIndRXTg=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=Nkz0ZXPLn7A0nF6KQPiJP7oXqI2kkXqmGmhDlk+MjuH4vHtsMgy+aoLmScuyD68Hou LlIeCyluCh4Gt1ujO5TtEdMd63GbObSYpYGxc5z7i9+EvwU8Pkb81j9iaVWLPVSttCiE sZHWacHcHT5TkRX6/vR1TD0IMVx78V87mcpXRYMkdM+ToBHreCT71H9qZ/3Xm0yfRF+f hmva9Nii5w+UEaHWrNQDl5jud0RDXVUKNqnONrkb+0F5s9QKJdPXBUwxA9XwvAgsUF9q NAoePRjo8bGmMdBDg9mis5VuEKt4z0vHIvjzR5dIdl5xHtNkmkyye7ojkE+SNKSUiWnI bf0A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Q3F0HPEL; spf=pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1212295-20250625193911897dc41b5d7bdd0a3f-QwMh_Q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-2ee58bfe510si558381fac.0.2025.06.25.12.39.12 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 12:39:12 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250625193911897dc41b5d7bdd0a3f for ; Wed, 25 Jun 2025 21:39:12 +0200 From: "'Cedric Hombourger' via isar-users" To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH v3 6/6] rootfs: do not get elevated privileges when downloading packages Date: Thu, 26 Jun 2025 03:37:48 +0800 Message-Id: <20250625193748.2681-7-cedric.hombourger@siemens.com> In-Reply-To: <20250625193748.2681-1-cedric.hombourger@siemens.com> References: <20250625193748.2681-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=Q3F0HPEL; spf=pass (google.com: domain of fm-1212295-20250625193911897dc41b5d7bdd0a3f-qwmh_q@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1212295-20250625193911897dc41b5d7bdd0a3f-QwMh_Q@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: AGOyJNpMsgQy Use rootfs_cmd() to run "apt-get install --download-only" without sudo. This requires /var/cache/apt/archives/ to be writable by the build user: change ownership while populating that folder with previously downloaded packages (those in downloads/deb/). Signed-off-by: Cedric Hombourger --- meta/classes/deb-dl-dir.bbclass | 21 ++++++++++++++++++--- meta/classes/rootfs.bbclass | 16 +++++++++++++--- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/meta/classes/deb-dl-dir.bbclass b/meta/classes/deb-dl-dir.bbclass index 7026f4f4..7fe052ef 100644 --- a/meta/classes/deb-dl-dir.bbclass +++ b/meta/classes/deb-dl-dir.bbclass @@ -100,9 +100,24 @@ dbg_pkgs_download() { deb_dl_dir_import() { export pc="${DEBDIR}/${2}" export rootfs="${1}" - sudo mkdir -p "${rootfs}"/var/cache/apt/archives/ + export uid=$(id -u) + export gid=$(id -g) + + # let our unprivileged user place downloaded packages in /var/cache/apt/archives/ + sudo -Es << ' EOSUDO' + mkdir -p "${rootfs}"/var/cache/apt/archives/partial/ + touch "${rootfs}"/var/cache/apt/archives/lock + chown -R ${uid}:${gid} "${rootfs}"/var/cache/apt/archives/ + EOSUDO + + # nothing to copy if download directory does not exist just yet [ ! -d "${pc}" ] && return 0 - flock -s "${pc}".lock sudo -Es << 'EOSUDO' + + # attempt to create hard-links for .deb files from downloads/ into + # /var/cache/apt/archives/ so apt will only download packages we + # have not yet downloaded. perform a regular copy whenever hard-links + # cannot be created + ( flock 9 set -e printenv | grep -q BB_VERBOSE_LOGS && set -x @@ -111,7 +126,7 @@ deb_dl_dir_import() { ln -Pf -t "${rootfs}"/var/cache/apt/archives/ "$p" 2>/dev/null || cp -n --no-preserve=owner -t "${rootfs}"/var/cache/apt/archives/ "$p" done -EOSUDO + ) 9>"${pc}".lock } deb_dl_dir_export() { diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 429494ae..977bbec8 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -277,10 +277,20 @@ ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download" rootfs_install_pkgs_download[weight] = "600" rootfs_install_pkgs_download[progress] = "custom:rootfs_progress.PkgsDownloadProgressHandler" rootfs_install_pkgs_download[isar-apt-lock] = "release-after" -rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" +rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK}" rootfs_install_pkgs_download() { - sudo -E chroot '${ROOTFSDIR}' \ - /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} + mkdir -p "${WORKDIR}/dpkg" + + # Use our own dpkg lock files rather than those in the rootfs since we are not root + # (this is safe as there are no concurrent apt/dpkg operations for that rootfs) + touch "${WORKDIR}/dpkg/lock" "${WORKDIR}/dpkg/lock-frontend" + + # download packages using apt in a non-privileged namespace + rootfs_cmd --bind "${ROOTFSDIR}/var/cache/apt/archives" /var/cache/apt/archives \ + --bind "${WORKDIR}/dpkg/lock" /var/lib/dpkg/lock \ + --bind "${WORKDIR}/dpkg/lock-frontend" /var/lib/dpkg/lock-frontend \ + ${ROOTFSDIR} \ + -- /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} } ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT ??= "" -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250625193748.2681-7-cedric.hombourger%40siemens.com.