Re: [PATCH] buildchroot: build debian packages as "builder" not "root"

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: "Maxim Yu. Osipov" <mosipov@ilbers.de>
To: Henning Schild <henning.schild@siemens.com>, isar-users@googlegroups.com
Subject: Re: [PATCH] buildchroot: build debian packages as "builder" not "root"
Date: Thu, 1 Nov 2018 16:27:22 +0300	[thread overview]
Message-ID: <39e313fd-0382-bbe0-db27-bc1ad8902f4b@ilbers.de> (raw)
In-Reply-To: <20181026104914.25581-1-henning.schild@siemens.com>

On 10/26/18 1:49 PM, Henning Schild wrote:
> We used to build packages as "root" and now do that as a regular user.
> Not building as "root" allows us to find mistakes in debian/rules where
> privileged operations are used while they should not (a sudo was
> found in a rules-file). Further some build steps might actually expect
> to not run as root (seen in openssl test suite).
> 
> Not building as root should increase overall quality and brings us
> closer to how debian packages are build by others.

Applied to the 'next',

Thanks,
Maxim.

> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   meta/recipes-devtools/buildchroot/buildchroot-target.bb | 3 ++-
>   meta/recipes-devtools/buildchroot/files/build.sh        | 6 ++++--
>   meta/recipes-devtools/buildchroot/files/configscript.sh | 4 ++++
>   3 files changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/recipes-devtools/buildchroot/buildchroot-target.bb b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> index 42f47fc..c342625 100644
> --- a/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> +++ b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> @@ -18,6 +18,7 @@ BUILDCHROOT_PREINSTALL ?= "gcc \
>                              apt \
>                              automake \
>                              devscripts \
> -                           equivs"
> +                           equivs \
> +                           adduser"
>   
>   do_build[depends] = "isar-apt:do_cache_config isar-bootstrap-target:do_bootstrap"
> diff --git a/meta/recipes-devtools/buildchroot/files/build.sh b/meta/recipes-devtools/buildchroot/files/build.sh
> index e74bc14..d98eb2e 100644
> --- a/meta/recipes-devtools/buildchroot/files/build.sh
> +++ b/meta/recipes-devtools/buildchroot/files/build.sh
> @@ -14,5 +14,7 @@ for i in configure aclocal.m4 Makefile.am Makefile.in; do
>       fi
>   done
>   
> -# Build the package
> -dpkg-buildpackage -a$target_arch -d --source-option=-I
> +# Build the package as user "builder"
> +chown -R builder:builder $1 # the sources
> +chown builder:builder $1/.. # the output
> +su - builder -c "cd $1; dpkg-buildpackage -a$target_arch -d --source-option=-I"
> diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh
> index d591c2a..30660e7 100644
> --- a/meta/recipes-devtools/buildchroot/files/configscript.sh
> +++ b/meta/recipes-devtools/buildchroot/files/configscript.sh
> @@ -9,3 +9,7 @@ debconf-set-selections <<END
>   locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8
>   locales locales/default_environment_locale select en_US.UTF-8
>   END
> +
> +addgroup --quiet --system builder
> +useradd --system --gid builder --no-create-home --home /home/builder --no-user-group --comment "Isar buildchroot build user" builder
> +chown -R builder:builder /home/builder
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov

next prev parent reply	other threads:[~2018-11-01 13:27 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-26 10:49 Henning Schild
2018-10-29 10:54 ` Baurzhan Ismagulov
2018-10-29 11:27   ` Henning Schild
2018-10-29 11:44     ` Baurzhan Ismagulov
2018-11-01 13:27 ` Maxim Yu. Osipov [this message]
2018-11-08 13:32 ` Jan Kiszka
2018-11-08 14:54   ` Henning Schild
2018-11-09  9:14     ` Jan Kiszka
2018-11-09  9:34       ` Henning Schild
2018-11-09  9:37         ` Jan Kiszka
2018-11-09 11:16           ` Jan Kiszka
2018-11-09 15:49             ` Baurzhan Ismagulov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=39e313fd-0382-bbe0-db27-bc1ad8902f4b@ilbers.de \
    --to=mosipov@ilbers.de \
    --cc=henning.schild@siemens.com \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox