Corsac.net - Echoes

Echoes | Roadbook | Debian | Archives

mardi 14 septembre 2010 (1 post)

sudo and pbuilder, note for later

So I don't forget it, since recent sudo package resets environment even for $HOME, the working sudoers (5) for me is:

Cmnd_Alias PBUILDER = /usr/sbin/pbuilder, /usr/sbin/cowbuilder
Defaults!PBUILDER env_keep+=HOME

You may have to adjust the commands, YMMV.

Yves-Alexis@08:31:46 (Debian)

jeudi 16 septembre 2010 (1 post)

Café

L'avantage aussi de faire beaucoup trop de café, c'est que ça lui laisse plus de temps pour s'évaporer quand on oublie d'éteindre la cafetière, et ça évite de la cramer.

Corsac@20:40:30 (Roadbook)

samedi 18 septembre 2010 (1 post)

Paris Carnet

Le monde est vraiment tout petit, tout le monde le sait. Encore plus quand on parle de certains microcosmes (et le monde de la SSI en France en est un bon exemple). Mais ça fait toujours bizarre de retrouver, complètement par hasard, un pote au détour d'une bière. Quand on se rend compte que des potes se connaissent entre eux, quand on se rend compte que les potes de potes sont aussi des potes.

Et quand c'est des potes qu'on a pas vu depuis des années, et bah pour coup ça fait vachement plaisir, c'est le genre de surprise qui donne la pêche, qui donne envie de croire en la vie et en ses cadeaux.

Corsac@17:32:39 (Echoes)

mardi 21 septembre 2010 (1 post)

Note for later: pbuilder, chroot and grsec

Another one, just not to forget it, since I'm just starting to play with grsecurity. When building package under pbuilder/cowbuilder and using a grsec kernel, you have some stuff to tune. I built my grsec kernel with the sysctl options enabled, so it's easier to fix.

The first thing I needed, not directly related to building packages, is the permission for my user to execute stuff in “untrusted” folder (since I really need to be able to run stuff from my home). I've configured Trusted Path Execution with:

corsac@hidalgo: sudo sysctl -a |grep kernel.grsecurity.tpe
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 500
kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1

So what I need from there is to add my user to that group:

corsac@hidalgo: sudo addgroup --gid 500 grsec-tpe
Adding group `grsec-tpe' (GID 500) ...
Done.
corsac@hidalgo: sudo adduser corsac grsec-tpe
Adding user `corsac' to group `grsec-tpe' ...
Adding user corsac to group grsec-tpe
Done.

That works fine for general usage (at the cost of less protection for my user).

When trying to build stuff in pbuilder, the first problem I hit was during dependencies installation:

[81903.221359] grsec: From 127.0.0.6: denied chmod +s
of /home/corsac/debian/pbuilder/build/cow.8616/usr/local/share/sgml/stylesheet
by /home/corsac/debian/pbuilder/build/cow.8616/bin/chmod[chmod:10424] uid/euid:0/0 gid/egid:0/0,
parent /home/corsac/debian/pbuilder/build/cow.8616/var/lib/dpkg/info/sgml-base.postinst[sgml-base.posti:10421] uid/euid:0/0 gid/egid:0/0

grsec enforces some more protection when in a chroot, and especially forbids some operations in there. So I add an exception, using sysctl. For that, a convenient /etc/sysctl.conf.d/grsec.conf will help:

# we need to do stuff in chroots for package building
kernel.grsecurity.chroot_deny_chmod=0

# lock grsec sysctl
# kernel.grsecurity.grsec_lock=1

The last one is still in comment since I know I'll have to tune further the sysctl.

With this, the build-deps install fine, but when starting the build itself, it fails because I can't execute stuff inside chroot, and especially not debian/rules:

Sep 20 19:43:24 hidalgo kernel: [87339.510137] grsec: From 127.0.0.6: denied untrusted exec of
/home/corsac/debian/pbuilder/build/cow.26657/tmp/buildd/evolution-data-server-2.30.3/debian/rules by
/home/corsac/debian/pbuilder/build/cow.26657/usr/bin/fakeroot-sysv[fakeroot:10916] uid/euid:1234/1234 gid/egid:1234/1234,
parent /home/corsac/debian/pbuilder/build/cow.26657/usr/bin/fakeroot-sysv[fakeroot:10895] uid/euid:1234/1234 gid/egid:1234/1234

That's again because of TPE. Because, inside the chroot, the pbuilder user (uid 1234) doesn't belong to the grsec-tpe group (which doesn't even exist). So the correct fix here is to create a 500 group inside the chroot, and add the pbuilder user:

corsac@hidalgo: sudo cowbuilder --login --save-after-login
-> Copying COW directory
[…]
root@hidalgo:/# sudo addgroup --gid 500 grsec-tpe
Adding group `grsec-tpe' (GID 500) ...
Done.
root@hidalgo:/# sudo adduser pbuilder grsec-tpe
Adding user `pbuilder' to group `grsec-tpe' ...
Adding user pbuilder to group grsec-tpe
Done.

Et voilà !

Yves-Alexis@08:43:48 (Debian)

Images

Stats

1526 posts
8197 jours
0.19 posts/jour
IRC
Last.fm

Stuff

Tech

Weblogs