83 lines
3.3 KiB
Diff
83 lines
3.3 KiB
Diff
From 9a77c45e4192df1b89a3631aa3ce379922c4bf5c Mon Sep 17 00:00:00 2001
|
|
From: Eli Schwartz <eschwartz@archlinux.org>
|
|
Date: Tue, 11 Apr 2023 13:11:00 -0400
|
|
Subject: [PATCH 1/2] minstall: do not drop privileges if msetup also ran under
|
|
sudo
|
|
|
|
A user might run `sudo somewrapper` to build and install something with
|
|
meson, and it is not actually possible to drop privileges and build,
|
|
since the build directory is also owned by root.
|
|
|
|
A common case of this is `sudo pip install` for projects using
|
|
meson-python or other python build-backends that wrap around meson.
|
|
|
|
Fixes #11665
|
|
---
|
|
mesonbuild/minstall.py | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/mesonbuild/minstall.py b/mesonbuild/minstall.py
|
|
index c4de5c2c25b..04726b08af7 100644
|
|
--- a/mesonbuild/minstall.py
|
|
+++ b/mesonbuild/minstall.py
|
|
@@ -788,6 +788,10 @@ def drop_privileges() -> T.Tuple[T.Optional[EnvironOrDict], T.Optional[T.Callabl
|
|
else:
|
|
return None, None
|
|
|
|
+ if os.stat(os.path.join(wd, 'build.ninja')).st_uid != int(orig_uid):
|
|
+ # the entire build process is running with sudo, we can't drop privileges
|
|
+ return None, None
|
|
+
|
|
env['USER'] = orig_user
|
|
env['HOME'] = homedir
|
|
|
|
|
|
From 3bc2236c59249f44f20f8b52ddcd7a44938ea2f0 Mon Sep 17 00:00:00 2001
|
|
From: Eli Schwartz <eschwartz@archlinux.org>
|
|
Date: Tue, 11 Apr 2023 12:42:36 -0400
|
|
Subject: [PATCH 2/2] minstall: work around broken environments with missing
|
|
UIDs
|
|
|
|
Running some container-like mechanisms such as chroot(1) from sudo, can
|
|
result in a new isolated environment where the environment variables
|
|
exist but no users exist. From there, a build is performed as root but
|
|
installation fails when we try to look up the passwd database entry for
|
|
the user outside of the chroot.
|
|
|
|
Proper container mechanisms such as systemd-nspawn, and even improper
|
|
ones like docker, sanitize this and ensure those stale environment
|
|
variables don't exist anymore. But chroot is very low-level.
|
|
|
|
Avoid crashing when this happens.
|
|
|
|
Fixes #11662
|
|
---
|
|
mesonbuild/minstall.py | 12 ++++++++++--
|
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/mesonbuild/minstall.py b/mesonbuild/minstall.py
|
|
index 04726b08af7..b9fe7d58d8d 100644
|
|
--- a/mesonbuild/minstall.py
|
|
+++ b/mesonbuild/minstall.py
|
|
@@ -778,10 +778,18 @@ def drop_privileges() -> T.Tuple[T.Optional[EnvironOrDict], T.Optional[T.Callabl
|
|
orig_user = env.pop('SUDO_USER')
|
|
orig_uid = env.pop('SUDO_UID', 0)
|
|
orig_gid = env.pop('SUDO_GID', 0)
|
|
- homedir = pwd.getpwuid(int(orig_uid)).pw_dir
|
|
+ try:
|
|
+ homedir = pwd.getpwuid(int(orig_uid)).pw_dir
|
|
+ except KeyError:
|
|
+ # `sudo chroot` leaves behind stale variable and builds as root without a user
|
|
+ return None, None
|
|
elif os.environ.get('DOAS_USER') is not None:
|
|
orig_user = env.pop('DOAS_USER')
|
|
- pwdata = pwd.getpwnam(orig_user)
|
|
+ try:
|
|
+ pwdata = pwd.getpwnam(orig_user)
|
|
+ except KeyError:
|
|
+ # `doas chroot` leaves behind stale variable and builds as root without a user
|
|
+ return None, None
|
|
orig_uid = pwdata.pw_uid
|
|
orig_gid = pwdata.pw_gid
|
|
homedir = pwdata.pw_dir
|