Hide Forgot
Description of problem: Sometimes, when debugging a fail build, I will run the mock shell and try a few things. Some of those things might involve installing a few tools in the buildroot (I have a mock config which installs yum in the chroot for those times I need it). With the latest update to mock that reworks the shell, this is what I get now: <mock-chroot>[mockbuild@bochecha build]$ yum install vim You need to be root to perform this command. This is with mock-1.1.16-1.fc14.noarch Sure, it's possible to run mock --install, but then it's not ideal because I have to exit the chroot, install the tool, go back in the chroot, start some debugging, realize I need another tool to go further, exit the chroot, wash, rinse, repeat... The update notice says: Hopefully doing this doesn't break existing usage of --chroot and --shell but if it does please report it as a BZ so we can fix it. There you go, the update breaks my existing usage of --shell. :) Or is it absolutely undesirable to have the kind of permissions that yum require inside the chroot? Note: I'm running mock on Fedora 14 because I haven't had time to upgrade my workstation yet, but I guess the issue is also present on all Fedora that have the same mock version.
*** Bug 749979 has been marked as a duplicate of this bug. ***
I appreciate the BZ's :) When I reworked the shell/chroot logic I must have broken the uid/gid setting logic, so I'll look at it and see if I can bring us back to the previous behavior. I also need to look at the implications of someone running a root-shell inside the chroot. I personally don't have a problem with someone doing this on their own box, but I suspect the security folks would have a problem with interactive root shells on the Fedora builders. Maybe I'll add a config that disables root shells while I'm at it...
Created attachment 530795 [details] Patch to make uid/gid handling with --shell similar to previous behavior This patch makes the default uid/gid inside a --shell chroot be root/root. This behavior may be changed by two mechanisms: 1. The --unpriv option, meaning the uid/gid will be mockbuild/mockbuild 2. The config option 'no_root_shells' which disallows any interactive root shells inside the chroot. Please try this patch and let me know if it fixes your issues.
Since this isn't a patch that can be run on a vanilla system, please provide a koji scratch built rpm...
I just applied the patch on the latest mock for Fedora 14 and have verified that: - by default, uid/gid are root inside the shell, so I could run a yum install without any issue, as I coul previously. - the --unpriv option works as advertised: uid/gid are mockbuild and I can't run a yum install command. About the --no_root_shells, is it supposed to be a "always --unpriv" option (i.e when running a --shell even without --unpriv, it is implied)? That's what I had understood from your comment, but it seems like it plainly refuses to run a shell if you don't also specify --unpriv. If that's expected then the patch works great. Thanks for being so quick! :)
(In reply to comment #5) > I just applied the patch on the latest mock for Fedora 14 and have verified > that: > - by default, uid/gid are root inside the shell, so I could run a yum install > without any issue, as I coul previously. > - the --unpriv option works as advertised: uid/gid are mockbuild and I can't > run a yum install command. Good! > > About the --no_root_shells, is it supposed to be a "always --unpriv" option > (i.e when running a --shell even without --unpriv, it is implied)? > > That's what I had understood from your comment, but it seems like it plainly > refuses to run a shell if you don't also specify --unpriv. > > If that's expected then the patch works great. Thanks for being so quick! :) Sigh, no if you set no_root_shells then it should imply --nopriv. Lemme see what I did wrong there...
Created attachment 530978 [details] Patch to make uid/gid handling with --shell similar to previous behavior Fix unintended behavior from previous patch. Using the 'no_root_shells' config should imply the --unpriv behavior (i.e. uid's are forced to mockbuild id's).