[PATCH] backend: Ensure output files are owned by unpriv user with nspawn

Colin Walters walters at verbum.org
Tue Jul 28 16:57:08 UTC 2015 

In the systemd-nspawn case, while we need to be root to call
the build, we still need to chown the output files.

This regressed rpmdistro-gitoverlay which was expecting to be able to
`link()` the SRPMs, and it couldn't because they were root owned.
---
 py/mockbuild/backend.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/py/mockbuild/backend.py b/py/mockbuild/backend.py
index c342573..414475c 100644
--- a/py/mockbuild/backend.py
+++ b/py/mockbuild/backend.py
@@ -193,14 +193,14 @@ class Commands(object):
 
         buildstate = "build phase for %s" % baserpm
         self.state.start(buildstate)
+        # remove rpm db files to prevent version mismatch problems
+        # note: moved to do this before the user change below!
+        self.buildroot._nuke_rpm_db()
+        dropped_privs = False
         try:
-            # remove rpm db files to prevent version mismatch problems
-            # note: moved to do this before the user change below!
-            self.buildroot._nuke_rpm_db()
-
             if not util.USE_NSPAWN:
-                # drop privs and become mock user
                 self.uid_manager.becomeUser(self.buildroot.chrootuid, self.buildroot.chrootgid)
+                dropped_privs = True
             buildsetup = "build setup for %s" % baserpm
             self.state.start(buildsetup)
 
@@ -222,6 +222,12 @@ class Commands(object):
             self.plugins.call_hooks('prebuild')
 
             results = self.rebuild_package(spec_path, timeout, check)
+            # In the nspawn case, we retained root until here, but we
+            # need to ensure our output files are owned by the caller's uid.
+            # So drop them now.
+            if not dropped_privs:
+                self.uid_manager.becomeUser(self.buildroot.chrootuid, self.buildroot.chrootgid)
+                dropped_privs = True
             if results:
                 self.build_results.extend(self.copy_build_results(results))
             elif self.config.get('short_circuit'):
@@ -233,7 +239,7 @@ class Commands(object):
             self.state.finish(rpmbuildstate)
 
         finally:
-            if not util.USE_NSPAWN:
+            if dropped_privs:
                 self.uid_manager.restorePrivs()
             if self.state.result != 'success':
                 self.state.result = 'fail'
-- 
1.8.3.1

More information about the buildsys mailing list