Hide Forgot
Created attachment 511366 [details] Patch to fix the regression Description of problem: Once upon a time (before mock 1.0.14 and 1.1.8), you could set config_opts['chrootgid'] in site-defaults.cfg and twiddle a few permissions and run mock using a group other than the default "mock". When a check for proper group membership was added (http://git.fedorahosted.org/git/?p=mock.git;a=commit;h=aeab2873f30f9d14597d936d42e46a751c4ca897; https://bugzilla.redhat.com/show_bug.cgi?id=662223), the mock group was hard-coded in. Unix groups are precious; we can't waste one of our 16 valuable groups on an extraneous mock group. I've attached a patch to fix this regression and once again allow mock to run as a user-configurable group. Version-Release number of selected component (if applicable): >= 1.0.14 and >= 1.1.8 How reproducible: All the time. Steps to Reproduce: 1. Set config_opts['chrootgid'] to something non-default in site-defaults.cfg 2. Set appropriate group ownership of /var/lib/mock and /var/cache/mock Actual results: Mock complains (in a stack trace!) that you're not a member of the mock group: [...ugliness snipped...] RuntimeError: Must be member of 'mock' group to run mock! ([...]) Expected results: Mock should run nicely. Additional info: I've attached a patch that fixes this and once again allows you to configure the group to run mock as.
I'm confused. I have over 50 groups in my /etc/group file, not counting the ones that are created by installing packages like mock, jack, tcpdump, pulseaudio, etc. GID's are 32-bit unsigned quantities in Linux. Since a GID is an unsigned integer, this means you have over four billion potential group id's to use. Why do you feel you are limited to 16?
GIDs are not the limited resource, group membership is. A user can only be a member of so many groups. It turns out 16 is only the limit on Solaris and the BSDs -- on Linux it's 2^16 in 2.6 -- but the fact is that if you use LDAP or similar, then the lowest limit of any system on your network becomes the default site-wide limit. If I put myself in 17 groups it'll work fine on Linux 2.6, but Solaris boxes will semi-randomly pick 16 of them for me to be in.
Hmmmm. I suspect the idea of allowing the group to be configurable breaks down is in the PAM launch code: auth sufficient pam_succeed_if.so user ingroup mock use_uid quiet The reason I'm hesitant to hack a change here is that the code is fairly fragile and we *finally* have it working reliably (plus, I am in no way a PAM expert). I do notice the line following the above in /etc/pam.d/mock: # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid Do you get wheel as one of your Solaris/BSD groups? If so we could possibly add wheel to the check inside mock. Not sure if that would be enough though.
Created attachment 562289 [details] Updated patch No, the 'wheel' group would not be sufficient. It's just hard-coding a second group when the real solution -- to make this configurable -- is trivial. You do have to change "mock" in the first PAM line to whatever group you set "chrootgid" to. But that can be done, trivially, and a little documentation suffices. I've attached an updated patch that a) works against the current source; and b) includes docs on the PAM change in site-defaults.cfg.
Applied and queued for next release.
mock-1.1.22-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/mock-1.1.22-1.el6
mock-1.1.22-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/mock-1.1.22-1.fc15
mock-1.0.29-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/mock-1.0.29-1.el5
mock-1.1.22-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mock-1.1.22-1.fc17
mock-1.1.22-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/mock-1.1.22-1.fc16
mock-1.1.22-2.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mock-1.1.22-2.fc17
Package mock-1.1.22-2.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mock-1.1.22-2.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7324/mock-1.1.22-2.fc17 then log in and leave karma (feedback).
mock-1.1.22-2.1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.