Bug 749722

Summary: Latest mock breaks usage of yum in buildroot
Product: [Fedora] Fedora Reporter: Mathieu Bridon <bochecha>
Component: mockAssignee: Clark Williams <williams>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: mebrown, susi.lehtola, williams
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 749979 (view as bug list) Environment:
Last Closed: 2012-06-21 17:28:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 749979    
Attachments:
Description Flags
Patch to make uid/gid handling with --shell similar to previous behavior
none
Patch to make uid/gid handling with --shell similar to previous behavior none

Description Mathieu Bridon 2011-10-28 03:37:08 UTC 
Description of problem:
Sometimes, when debugging a fail build, I will run the mock shell and try a few things.

Some of those things might involve installing a few tools in the buildroot (I have a mock config which installs yum in the chroot for those times I need it).

With the latest update to mock that reworks the shell, this is what I get now:
  <mock-chroot>[mockbuild@bochecha build]$ yum install vim
  You need to be root to perform this command.

This is with mock-1.1.16-1.fc14.noarch

Sure, it's possible to run mock --install, but then it's not ideal because I have to exit the chroot, install the tool, go back in the chroot, start some debugging, realize I need another tool to go further, exit the chroot, wash, rinse, repeat...

The update notice says:
  Hopefully doing this doesn't break existing usage of --chroot and
  --shell but if it does please report it as a BZ so we can fix it.

There you go, the update breaks my existing usage of --shell. :)

Or is it absolutely undesirable to have the kind of permissions that yum require inside the chroot?

Note: I'm running mock on Fedora 14 because I haven't had time to upgrade my workstation yet, but I guess the issue is also present on all Fedora that have the same mock version.
Comment 1 Clark Williams 2011-10-29 15:39:04 UTC 
*** Bug 749979 has been marked as a duplicate of this bug. ***
Comment 2 Clark Williams 2011-10-29 15:48:52 UTC 
I appreciate the BZ's :)

When I reworked the shell/chroot logic I must have broken the uid/gid setting logic, so I'll look at it and see if I can bring us back to the previous behavior. 

I also need to look at the implications of someone running a root-shell inside the chroot. I personally don't have a problem with someone doing this on their own box, but I suspect the security folks would have a problem with interactive root shells on the Fedora builders. Maybe I'll add a config that disables root shells while I'm at it...
Comment 3 Clark Williams 2011-10-29 17:49:26 UTC 
Created attachment 530795 [details]
Patch to make uid/gid handling with --shell similar to previous behavior

This patch makes the default uid/gid inside a --shell chroot be root/root. This behavior may be changed by two mechanisms:

1. The --unpriv option, meaning the uid/gid will be mockbuild/mockbuild
2. The config option 'no_root_shells' which disallows any interactive root shells inside the chroot. 

Please try this patch and let me know if it fixes your issues.
Comment 4 Susi Lehtola 2011-10-29 18:15:07 UTC 
Since this isn't a patch that can be run on a vanilla system, please provide a koji scratch built rpm...
Comment 5 Mathieu Bridon 2011-10-31 04:46:02 UTC 
I just applied the patch on the latest mock for Fedora 14 and have verified that:
- by default, uid/gid are root inside the shell, so I could run a yum install without any issue, as I coul previously.
- the --unpriv option works as advertised: uid/gid are mockbuild and I can't run a yum install command.

About the --no_root_shells, is it supposed to be a "always --unpriv" option (i.e when running a --shell even without --unpriv, it is implied)?

That's what I had understood from your comment, but it seems like it plainly refuses to run a shell if you don't also specify --unpriv.

If that's expected then the patch works great. Thanks for being so quick! :)
Comment 6 Clark Williams 2011-10-31 13:50:30 UTC 
(In reply to comment #5)
> I just applied the patch on the latest mock for Fedora 14 and have verified
> that:
> - by default, uid/gid are root inside the shell, so I could run a yum install
> without any issue, as I coul previously.
> - the --unpriv option works as advertised: uid/gid are mockbuild and I can't
> run a yum install command.

Good!

> 
> About the --no_root_shells, is it supposed to be a "always --unpriv" option
> (i.e when running a --shell even without --unpriv, it is implied)?
> 
> That's what I had understood from your comment, but it seems like it plainly
> refuses to run a shell if you don't also specify --unpriv.
> 
> If that's expected then the patch works great. Thanks for being so quick! :)

Sigh, no if you set no_root_shells then it should imply --nopriv. Lemme see what I did wrong there...
Comment 7 Clark Williams 2011-10-31 13:56:54 UTC 
Created attachment 530978 [details]
Patch to make uid/gid handling with --shell similar to previous behavior

Fix unintended behavior from previous patch. Using the 'no_root_shells' config should imply the --unpriv behavior (i.e. uid's are forced to mockbuild id's).