From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6616615978640867328
X-Received: by 2002:a5d:4349:: with SMTP id u9-v6mr777865wrr.29.1541078851960;
        Thu, 01 Nov 2018 06:27:31 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:adf:b704:: with SMTP id l4-v6ls603606wre.3.gmail; Thu, 01
 Nov 2018 06:27:31 -0700 (PDT)
X-Google-Smtp-Source: AJdET5frzB/gBC32eaEZD4DVvp47WPusUjxv1w5YOQJT5Tgt0cLzjdS47T0Pds7cEvjiqz/1ZTN8
X-Received: by 2002:adf:eacb:: with SMTP id o11-v6mr776708wrn.19.1541078851517;
        Thu, 01 Nov 2018 06:27:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1541078851; cv=none;
        d=google.com; s=arc-20160816;
        b=0HgTqKZ/DjtoLF77vfjHJ7FYgpXE5YMJ57+oz3QpylW5ojMFLuxyx8vrUd122YuujU
         P6qT4gPeUKMiR3zGhd/77bRIK/yPAvKBEXhIhMKirjHgVHP8UBTBPGHRLVnfrV9+bReU
         xtvdema/fLWP8zeQvERqE5ORDsZx/T76s+JN1UlL/KU5DMuaz0S685wKbLDPAMA3VEK7
         nUSPGW7Tdv0C7P0zxDXKWbzf28JVnlOjf+AtQrQu9OniFgHFNTkKkxYC4a2OSNpIHrA9
         0f27/aJOwTTZCxf19RHvbzLpj4IyZycqZpPJaScXp2pbySUcgIpHrLRgMbuZwDtuukd+
         zfwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:organization:from:references:to:subject;
        bh=u1m/BPzqi90pkrjrdwMAQJGIn/Dg6lD571dxhc+V8pw=;
        b=tmPQ1gdTL8GoEnyzitWomyjNCtepejAkjAyPkH+ExmEwiLC3qWSCiT7493RDWYj5g4
         WvYB+1uPGdzQ0UNzV/833CokmXIlZqeoGQoi6kwf+U0XLGeJE/BRIh1vrc2/A66B6MFP
         GtfyUhCUQTrIq2FoSXVErrpjAvYHNbM7eZeAmWAGYuSbZqvA089p2ZA+Is5tK5Go/dUd
         Yze5QVW8f+tv7PXOBzSiTGXK3JjYxrJS6gYV6SRPCdxffpbGnzBrB04pTKA5mdhsP/jE
         tOqfNGtz4B3BGnBg04Cx4hxUU0FSb31e23VMxnLimj3vS6AcdiTocVkjmB9Yr2kHHq+i
         Q/8A==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de
Return-Path: <mosipov@ilbers.de>
Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211])
        by gmr-mx.google.com with ESMTPS id n6-v6si322423wrj.4.2018.11.01.06.27.31
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 01 Nov 2018 06:27:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) client-ip=85.214.62.211;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de
Received: from [192.168.50.180] (nat-ppp-217.71.235.199-satnet-spb.ru [217.71.235.199] (may be forged))
	(authenticated bits=0)
	by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id wA1DRRPC019393
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
	Thu, 1 Nov 2018 14:27:29 +0100
Subject: Re: [PATCH] buildchroot: build debian packages as "builder" not
 "root"
To: Henning Schild <henning.schild@siemens.com>, isar-users@googlegroups.com
References: <20181026104914.25581-1-henning.schild@siemens.com>
From: "Maxim Yu. Osipov" <mosipov@ilbers.de>
Organization: ilbers GmbH
Message-ID: <39e313fd-0382-bbe0-db27-bc1ad8902f4b@ilbers.de>
Date: Thu, 1 Nov 2018 16:27:22 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <20181026104914.25581-1-henning.schild@siemens.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TUID: qYfzGSM/B9yR

On 10/26/18 1:49 PM, Henning Schild wrote:
> We used to build packages as "root" and now do that as a regular user.
> Not building as "root" allows us to find mistakes in debian/rules where
> privileged operations are used while they should not (a sudo was
> found in a rules-file). Further some build steps might actually expect
> to not run as root (seen in openssl test suite).
> 
> Not building as root should increase overall quality and brings us
> closer to how debian packages are build by others.

Applied to the 'next',

Thanks,
Maxim.

> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   meta/recipes-devtools/buildchroot/buildchroot-target.bb | 3 ++-
>   meta/recipes-devtools/buildchroot/files/build.sh        | 6 ++++--
>   meta/recipes-devtools/buildchroot/files/configscript.sh | 4 ++++
>   3 files changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/recipes-devtools/buildchroot/buildchroot-target.bb b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> index 42f47fc..c342625 100644
> --- a/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> +++ b/meta/recipes-devtools/buildchroot/buildchroot-target.bb
> @@ -18,6 +18,7 @@ BUILDCHROOT_PREINSTALL ?= "gcc \
>                              apt \
>                              automake \
>                              devscripts \
> -                           equivs"
> +                           equivs \
> +                           adduser"
>   
>   do_build[depends] = "isar-apt:do_cache_config isar-bootstrap-target:do_bootstrap"
> diff --git a/meta/recipes-devtools/buildchroot/files/build.sh b/meta/recipes-devtools/buildchroot/files/build.sh
> index e74bc14..d98eb2e 100644
> --- a/meta/recipes-devtools/buildchroot/files/build.sh
> +++ b/meta/recipes-devtools/buildchroot/files/build.sh
> @@ -14,5 +14,7 @@ for i in configure aclocal.m4 Makefile.am Makefile.in; do
>       fi
>   done
>   
> -# Build the package
> -dpkg-buildpackage -a$target_arch -d --source-option=-I
> +# Build the package as user "builder"
> +chown -R builder:builder $1 # the sources
> +chown builder:builder $1/.. # the output
> +su - builder -c "cd $1; dpkg-buildpackage -a$target_arch -d --source-option=-I"
> diff --git a/meta/recipes-devtools/buildchroot/files/configscript.sh b/meta/recipes-devtools/buildchroot/files/configscript.sh
> index d591c2a..30660e7 100644
> --- a/meta/recipes-devtools/buildchroot/files/configscript.sh
> +++ b/meta/recipes-devtools/buildchroot/files/configscript.sh
> @@ -9,3 +9,7 @@ debconf-set-selections <<END
>   locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8
>   locales locales/default_environment_locale select en_US.UTF-8
>   END
> +
> +addgroup --quiet --system builder
> +useradd --system --gid builder --no-create-home --home /home/builder --no-user-group --comment "Isar buildchroot build user" builder
> +chown -R builder:builder /home/builder
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov