From: Daan De Meyer Date: Sun, 7 Apr 2024 13:56:21 +0000 (+0200) Subject: Make sure the build directory is owner by root (in the userns) X-Git-Tag: v23~23^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e3cee40fe9c92fbd0c8da69d5cfec0cc43ccecc;p=thirdparty%2Fmkosi.git Make sure the build directory is owner by root (in the userns) The build directory will (unless mkosi-as-caller is used) contain files owned by root (in the userns). To make sure the correct uidmap is used when using this directory in RuntimeTrees=, let's make sure the directory is owned by root (in the userns). --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index f7c3c8395..a89b70663 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -4330,16 +4330,20 @@ def run_build(args: Args, config: Config, *, resources: Path) -> None: p.mkdir(parents=True, exist_ok=True) INVOKING_USER.chown(p) - # Discard setuid/setgid bits as these are inherited and can leak into the image. - if config.build_dir: - config.build_dir.chmod(stat.S_IMODE(config.build_dir.stat().st_mode) & ~(stat.S_ISGID|stat.S_ISUID)) - if (uid := os.getuid()) != 0: become_root() unshare(CLONE_NEWNS) if uid == 0: run(["mount", "--make-rslave", "/"]) + if config.build_dir: + # Make sure the build directory is owned by root (in the user namespace) so that the correct uid-mapping is + # applied if it is used in RuntimeTrees= + os.chown(config.build_dir, os.getuid(), os.getgid()) + + # Discard setuid/setgid bits as these are inherited and can leak into the image. + config.build_dir.chmod(stat.S_IMODE(config.build_dir.stat().st_mode) & ~(stat.S_ISGID|stat.S_ISUID)) + # For extra safety when running as root, remount a bunch of stuff read-only. # Because some build systems use output directories in /usr, we only remount # /usr read-only if the output directory is not relative to it.