--- mach-0.9.1.orig/src/mach-helper.c +++ mach-0.9.1/src/mach-helper.c @@ -144,7 +144,7 @@ [0] = "PATH=/bin:/usr/bin:/usr/sbin", [1] = "HOME=/root" }; - int retval; + //int retval; size_t idx=2; size_t i; char *envvar; @@ -152,7 +152,8 @@ struct stat buf; /* elevate privileges */ - setreuid (geteuid (), geteuid ()); + if (setreuid (geteuid (), geteuid ()) != 0) + error ("setreuid: %s", strerror (errno)); //printf ("DEBUG: First argument: %s\n", *argv); //printf ("DEBUG: Executing %s\n", filename); /* FIXME: for a debug option */ @@ -181,7 +182,7 @@ env[idx++] = ptr; } - retval = execve (filename, argv, env); + execve (filename, argv, env); error ("executing %s: %s", filename, strerror (errno)); } --- mach-0.9.1.orig/debian/mach.dirs +++ mach-0.9.1/debian/mach.dirs @@ -0,0 +1,3 @@ +/var/cache/mach +/var/lib/mach/roots +/var/lib/mach/states --- mach-0.9.1.orig/debian/mach.postinst +++ mach-0.9.1/debian/mach.postinst @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +action="$1" + +# relative path to the directory of the SUID root helper "mach-helper"; it +# doesn't need to be called directly, and hence does not need to be in +# /usr/sbin, /usr/lib/mach/sbin seems a saner location +# XXX this is also set in debian/mach.prem and debian/rules +MACH_HELPER_DIR="usr/lib/mach/sbin" +# group for users allowed to run the SUID root helper "mach-helper" +# XXX this is also set in debian/mach.prerm +MACH_HELPER_GROUP="mach" +# various dirs +# XXX this is also set in debian/mach.prerm +MACH_STATES_DIR="/var/lib/mach/states" +MACH_ROOTS_DIR="/var/lib/mach/roots" +MACH_CACHE_DIR="/var/cache/mach" + +create_mach_group() { + addgroup --system --quiet "$MACH_HELPER_GROUP" +} + +fix_perms() { + chgrp "$MACH_HELPER_GROUP" "/$MACH_HELPER_DIR/mach-helper" + # set SUID root, group executable, and world readable; chgrp resets the + # SUID bit for security reasons + # XXX the permissions are also fixed in debian/rules to advertize the use + # of a SUID root binary in the package + chmod 4754 "/$MACH_HELPER_DIR/mach-helper" + # various dirs which should belong to the mach group and be SGID as well as + # group writable + chgrp "$MACH_HELPER_GROUP" "$MACH_STATES_DIR" "$MACH_ROOTS_DIR" "$MACH_CACHE_DIR" + chmod 2775 "$MACH_STATES_DIR" "$MACH_ROOTS_DIR" "$MACH_CACHE_DIR" +} + +if [ "$action" = "configure" ]; then + version="$2" + if getent group "$MACH_HELPER_GROUP" >/dev/null; then + # sanity check: abort if a group with the same name already exists at + # the time of the first installation; avoid creating SUID root binaries + # executable by this group + if [ -z "$version" ]; then + echo 'E: SECURITY: A group named "mach" already exists on your system.' >&2 + exit 1 + fi + else + # create the group + create_mach_group + fi + # set permissions + fix_perms +fi + +#DEBHELPER# --- mach-0.9.1.orig/debian/mach.prerm +++ mach-0.9.1/debian/mach.prerm @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +action="$1" + +#DEBHELPER# + +# relative path to the directory of the SUID root helper "mach-helper"; it +# doesn't need to be called directly, and hence does not need to be in +# /usr/sbin, /usr/lib/mach/sbin seems a saner location +# XXX this is also set in debian/mach.postinst and debian/rules +MACH_HELPER_DIR="usr/lib/mach/sbin" +# group for users allowed to run the SUID root helper "mach-helper" +# XXX this is also set in debian/mach.postinst +MACH_HELPER_GROUP="mach" +# various dirs +# XXX this is also set in debian/mach.postinst +MACH_STATES_DIR="/var/lib/mach/states" +MACH_ROOTS_DIR="/var/lib/mach/roots" +MACH_CACHE_DIR="/var/cache/mach" + +reset_perms() { + chgrp root "/$MACH_HELPER_DIR/mach-helper" + # various dirs which should belong to the mach group and be SGID and group + # writable + chgrp root "$MACH_STATES_DIR" "$MACH_ROOTS_DIR" "$MACH_CACHE_DIR" +} + +destroy_mach_group() { + delgroup --quiet --system "$MACH_HELPER_GROUP" +} + +if [ "$action" = "remove" ]; then + reset_perms + destroy_mach_group +fi --- mach-0.9.1.orig/debian/rules +++ mach-0.9.1/debian/rules @@ -0,0 +1,47 @@ +#!/usr/bin/make -f + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/rules/utils.mk +include /usr/share/cdbs/1/class/autotools.mk + +# relative path to the directory of the SUID root helper "mach-helper"; it +# doesn't need to be called directly, and hence does not need to be in +# /usr/sbin, /usr/lib/mach/sbin seems a saner location +# XXX this is also set in debian/mach.postinst +MACH_HELPER_DIR := usr/lib/mach/sbin + +# SELinux must be forced and not detected on the build host +ifeq ($(DEB_HOST_ARCH_OS),linux) +DEB_CONFIGURE_EXTRA_FLAGS += --enable-selinux +else +DEB_CONFIGURE_EXTRA_FLAGS += --disable-selinux +endif + +# the SUID root helper shouldn't be called directly, and hence does not need to +# be in /usr/sbin; /usr/lib/mach seems a more sane location +DEB_CONFIGURE_EXTRA_FLAGS += --sbindir=/$(MACH_HELPER_DIR) + +# ship upstream list of things not to forget +DEB_INSTALL_DOCS_mach += FORGETMENOT +# ship upstream release notes; includes some useful information such as +# upstream mailing-list, upstream bug tracker, another list of supported roots, +# another quickstart, etc. +DEB_INSTALL_DOCS_mach += RELEASE +# ship DOAP XML file (Description Of A Project) +DEB_INSTALL_DOCS_mach += mach.doap + + +binary-post-install/mach:: + # generate ${python:Depends}; /usr/bin/mach is a Python script + dh_pysupport -p$(cdbs_curpkg) + # set SUID root, group executable, and world readable; the upstream + # build doesn't adjust permissions + # XXX the permissions are also fixed in debian/mach.postinst since + # "chgrp" resets these + chmod 4754 debian/$(cdbs_curpkg)/$(MACH_HELPER_DIR)/mach-helper + # drop useless and dangerous *.la files + rm -f debian/$(cdbs_curpkg)/usr/lib/libselinux-mach.la + +# do not fix permission of the SUID root helper "mach-helper" +DEB_FIXPERMS_EXCLUDE += $(MACH_HELPER_DIR)/mach-helper --- mach-0.9.1.orig/debian/compat +++ mach-0.9.1/debian/compat @@ -0,0 +1 @@ +5 --- mach-0.9.1.orig/debian/copyright +++ mach-0.9.1/debian/copyright @@ -0,0 +1,34 @@ +This package was debianized by Loïc Minier on +Mon, 30 Oct 2006 20:39:12 +0100. + +It was downloaded from . + +Upstream Authors: + Thomas Vander Stichele + Ville Skyttä + Jeff Pitman + Rudi Chiarito + Matthias Saou + Nigel Metheringham + +Copyrights: + + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. --- mach-0.9.1.orig/debian/control +++ mach-0.9.1/debian/control @@ -0,0 +1,56 @@ +Source: mach +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Loïc Minier +Section: admin +Priority: optional +Build-Depends: debhelper (>= 5), + cdbs, + python (>= 2.2), + autotools-dev, + python-support (>= 0.5.3), + libselinux1-dev [!hurd-i386 !kfreebsd-amd64 !kfreebsd-i386] +Standards-Version: 3.8.4 + +Package: mach +Architecture: any +Depends: ${misc:Depends}, + ${shlibs:Depends}, + ${python:Depends}, + rpm (>= 4.1), + yum | apt-rpm-client (>= 0.5.5cnc2), + python-rpm, + adduser +Recommends: cpio, + gnupg +Description: make a chroot of a rpm-based distribution + mach allows you to set up clean roots from scratch for any distribution or + distribution variation supported. + . + This clean build root can be used for several goals: + - making clean packages + - set up chroots for services to run it + - make disk images of clean roots (for example for UML) + . + Currently, mach works for rpm-based distributions that can work with apt + for rpm. + . + Included at this moment is the necessary information to set up: + - Fedora 1, 2, 3, 4, 5, 6, and development + - Red Hat 7.0, 7.1, 7.2, 7.3, 8, and 9 + - CentOS 4 + - Dave/Dina + - Conectiva 9 + - SuSE 8.1, 8.2, and 9.0 + - Yellowdog 2.3, and 3.0 + . + Some handy features of mach include: + - "caching" of downloaded packages using the build hosts's apt + the build root + - ensures clean packages by reverting to the base set of build packages + - uses apt to resolve dependencies + - parsing of BuildRequires to install necessary packages for building + - build ordering when doing multiple builds + - support for flavours of distribution + - multiple build roots + - locking of buildroot to avoid concurrent builds + - optional signing of built packages --- mach-0.9.1.orig/debian/watch +++ mach-0.9.1/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://thomas.apestaart.org/download/mach/mach-(.+)\.tar\.gz --- mach-0.9.1.orig/debian/mach.install +++ mach-0.9.1/debian/mach.install @@ -0,0 +1 @@ +debian/centos-5-i386 /etc/mach/dist.d --- mach-0.9.1.orig/debian/centos-5-i386 +++ mach-0.9.1/debian/centos-5-i386 @@ -0,0 +1,127 @@ +# mach dist configuration -*- python -*- +# -*- coding: utf-8 -*- + +# centos-5-i386: configuration for CentOS 5 + +# each distro flavour has an aptsources line describing where to get each +# kind of package from +# each actual dist has a packages dict for bootstrap packages and +# a sourceslist dict referencing aptsources lines to use + +V = '5' # distro version +A = 'i386' # architecture +AS = '' # 'short' version of arch +DIST = 'centos-%s-%s' % (V, A) + +### CentOS flavours +aptsources[DIST] = { + 'os': 'rpm ' + centos + ' %s/apt/%s os' % (V, A), + 'updates': 'rpm ' + centos + ' %s/apt/%s updates' % (V, A), + 'addons': 'rpm ' + centos + ' %s/apt/%s addons' % (V, A), + 'contrib': 'rpm ' + centos + ' %s/apt/%s contrib' % (V, A), + 'csgfs': 'rpm ' + centos + ' %s/apt/%s csgfs' % (V, A), + 'extras': 'rpm ' + centos + ' %s/apt/%s extras' % (V, A), + 'plus': 'rpm ' + centos + ' %s/apt/%s centosplus' % (V, A), +} + +yumsources[DIST] = { + 'os': centos + '/%s/os/%s' % (V, A), + 'updates': centos + '/%s/updates/%s' % (V, A), + 'addons': centos + '/%s/addons/%s' % (V, A), + 'contrib': centos + '/%s/contrib/%s' % (V, A), + 'csgfs': centos + '/%s/csgfs/%s' % (V, A), + 'extras': centos + '/%s/extras/%s' % (V, A), + 'plus': centos + '/%s/centosplus/%s' % (V, A), + 'fextras': centosfe + '/el4/extras/stable/%s/RPMS' % (A), + 'jpackage-generic': jpackage + '/1.7/generic/free', + 'jpackage-centos' + V: jpackage + '/1.7/redhat-el-4.0/free', + 'jpackage-nonfree': jpackagenf + '/1.7/generic/non-free', +} + +# CentOS +packages['%s-os' % DIST] = { + 'dir': DIST, + 'minimal': 'bash glibc', + 'base': 'coreutils findutils openssh-server', + 'build': 'dev redhat-rpm-config rpm-build make gcc gcc-c++ tar gzip ' + + 'patch unzip bzip2 diffutils cpio elfutils', +} +sourceslist['%s-os' % DIST] = { + DIST: ('os', ) +} +config['%s-os' % DIST] = { + 'runuser': '/sbin/runuser', + 'macros': { 'dist': '.centos' + V, }, +} +aliases['%s-os' % DIST] = ('c' + V + 'o' + AS, 'c' + V + AS, ) + +# CentOS with updates +packages['%s-updates' % DIST] = packages['%s-os' % DIST] +sourceslist['%s-updates' % DIST] = { + DIST: ('os', 'updates', ) +} +config['%s-updates' % DIST] = config['%s-os' % DIST] +aliases['%s-updates' % DIST] = ('c' + V + 'u' + AS, ) + +# CentOS with addons +packages['%s-addons' % DIST] = packages['%s-updates' % DIST] +sourceslist['%s-addons' % DIST] = { + DIST: ('os', 'updates', 'addons', ) +} +config['%s-addons' % DIST] = config['%s-updates' % DIST] +aliases['%s-addons' % DIST] = ('c' + V + 'a' + AS, ) + +# CentOS with contrib +packages['%s-contrib' % DIST] = packages['%s-updates' % DIST] +sourceslist['%s-contrib' % DIST] = { + DIST: ('os', 'updates', 'contrib', ) +} +config['%s-contrib' % DIST] = config['%s-updates' % DIST] +aliases['%s-contrib' % DIST] = ('c' + V + 'c' + AS, ) + +# CentOS with csgfs +packages['%s-csgfs' % DIST] = packages['%s-updates' % DIST] +sourceslist['%s-csgfs' % DIST] = { + DIST: ('os', 'updates', 'csgfs', ) +} +config['%s-csgfs' % DIST] = config['%s-updates' % DIST] +aliases['%s-csgfs' % DIST] = ('c' + V + 'g' + AS, ) + +# CentOS with extras +packages['%s-extras' % DIST] = packages['%s-updates' % DIST] +sourceslist['%s-extras' % DIST] = { + DIST: ('os', 'updates', 'extras', ) +} +config['%s-extras' % DIST] = config['%s-updates' % DIST] +aliases['%s-extras' % DIST] = ('c' + V + 'e' + AS, ) + +# CentOS with centosplus +packages['%s-plus' % DIST] = packages['%s-updates' % DIST] +sourceslist['%s-plus' % DIST] = { + DIST: ('os', 'updates', 'plus', ) +} +config['%s-plus' % DIST] = config['%s-updates' % DIST] +aliases['%s-plus' % DIST] = ('c' + V + 'p' + AS, ) + +# CentOS with Fedora Extras rebuilds +packages['%s-fextras' % DIST] = deepcopy(packages['%s-updates' % DIST]) +packages['%s-fextras' % DIST]['build'] = packages['%s-fextras' % DIST]['build'] + " fedora-rpmdevtools" +sourceslist['%s-fextras' % DIST] = { + DIST: ('os', 'updates', 'fextras', ) +} +config['%s-fextras' % DIST] = deepcopy(config['%s-updates' % DIST]) +config['%s-fextras' % DIST]['macros'].update({ + '__arch_install_post': '/usr/lib/rpm/check-rpaths \\\n /usr/lib/rpm/check-buildroot', +}) +aliases['%s-fextras' % DIST] = ('c' + V + 'f' + AS, ) + +# CentOS with JPackage +packages['%s-jpackage' % DIST] = deepcopy(packages['%s-updates' % DIST]) +packages['%s-jpackage' % DIST]['base'] = packages['%s-jpackage' % DIST]['base'] + ' java-1.4.2-sun' +packages['%s-jpackage' % DIST]['build'] = packages['%s-jpackage' % DIST]['build'] + ' java-1.4.2-sun-devel' +sourceslist['%s-jpackage' % DIST] = { + DIST: sourceslist['%s-updates' % DIST][DIST] + + ('jpackage-generic', 'jpackage-centos' + V , 'jpackage-nonfree', ), +} +config['%s-jpackage' % DIST] = config['%s-updates' % DIST] +aliases['%s-jpackage' % DIST] = ('c' + V + 'jpp' + AS, ) --- mach-0.9.1.orig/debian/README.Debian +++ mach-0.9.1/debian/README.Debian @@ -0,0 +1,57 @@ +RPM locking bug +--------------- + +Due to a bug in mach, it tries to use the default settings of the host for RPM +transactions locking. Since the Debian "rpm" package does not ship a +/var/lib/rpm for safety reasons, locking fails with cryptic message. + +The clean solution is to fix mach, but two other solutions exist: +- create the /var/lib/rpm directory (a bit ugly) +- create a /var/lib/rpm-lock directory and create a /etc/rpm/macros.mach with: + %_rpmlock_path /var/lib/rpm-lock/__db.000 + (less ugly) + + +Quickstart +---------- + +*) add your user to the mach group + # adduser (you) mach +*) logout and login again, or switch group via setgroup + % sg mach +*) install the base set of packages of a centos-4 for i386 + % mach -r centos-4-i386-os setup base +*) enter the chroot + % mach -r centos-4-i386-os chroot +*) leave the chroot + % exit +*) rebuild a SRPM (source RPM) + % mach rebuild http://ayo.freshrpms.net/fedora/linux/4/i386/SRPMS.core/vorbis-tools-1.0.1-6.src.rpm + + +APT versus Yum, RPM wrapper, and secure PATH +-------------------------------------------- + +mach supports using both of APT and Yum, and using APT would probably work +better, however Debian's APT only support "deb" repositories. At some point, +the apt-rpm source might start building an apt-rpm-client package, and this +might permit using mach's APT support, but for now, only Yum support can be +used. + +Yum does not seem to offer any way to configure the configuration of RPM like +APT does. This is especially important to set the "dbpath" and "root" configs +for RPM. To workaround this, there is a specially crafted rpm wrapper in +/usr/lib/mach/sbin/rpm and /usr/lib/mach/sbin is prepented to the secure PATH +set by mach-helper. + + +SELinux support +--------------- + + SELinux support is achieved by using a LD_PRELOAD mechanism in the SUID root + "mach-helper": it hooks /usr/lib/libselinux-mach.so in the search path of the + dynamic linker and intercepts some SELinux calls initiated by binaries started + by mach-helper. This effectively disables SELinux for the lifetime of + binaries started by mach-helper. + + -- Loic Minier Wed, 1 Nov 2006 14:02:41 +0100 --- mach-0.9.1.orig/debian/pycompat +++ mach-0.9.1/debian/pycompat @@ -0,0 +1 @@ +2 --- mach-0.9.1.orig/debian/TODO +++ mach-0.9.1/debian/TODO @@ -0,0 +1,36 @@ +- control + - deps + - Linux kernel that can do bind mounts (>= 2.2.0)? + - section/priority (conflicts) +- configure flags + - defaultroot? flavor? --with-defaultroot=fedora-6-i386? + - is CHECK_RELEASE really doing anything useful? +- document purpose of user + group "machbuild" in chroots +- check with upstream: misses copyrights + license grant (version of GPL) +- from mach.spec.in + - docs + - deps + - createrepo? => Recommends? + - rpm-build? + - build-deps + - gcc-c++? + - dirs + perms: /var/tmp/mach? /usr/lib/mach? $dir/*? +- what is sysctl -w kernel.vdso=0? => http://fedoraproject.org/wiki/Legacy/Mock +- sample .machrc: + config['files'] = { + '/etc/hosts': ''' + 127.0.0.1 mach.onshuis onzenbak + ''', + '/etc/resolv.conf': ''' + nameserver 127.0.0.1 + nameserver 157.193.40.42 + search onshuis + ''' + } + + config['script-success'] = "mach-collect" + +- /etc/mach/conf +- src/mach-helper.c: patch do_command ("/bin/env" ...) to use /usr/bin/env +- test installation with apt-rpm-client +- compare to "mock" http://fedoraproject.org/wiki/Legacy/Mock --- mach-0.9.1.orig/debian/changelog +++ mach-0.9.1/debian/changelog @@ -0,0 +1,47 @@ +mach (0.9.1-3.1ubuntu1) raring; urgency=low + + * Backported change from upstream version 1.0.2 to check setreuid(), + fixing FTBFS. + + -- Daniel T Chen Mon, 01 Apr 2013 12:49:49 -0400 + +mach (0.9.1-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix FTBFS caused by set, but unused variable with the patch by Peter + Green (Closes: #625381) + * Urgency set to medium due to rc bug fix + + -- Alexander Reichle-Schmehl Sun, 04 Dec 2011 14:02:51 +0100 + +mach (0.9.1-3) unstable; urgency=low + + * Wrap build-deps and deps. + * Bump up Standards-Version to 3.8.4. + * Switch to my @debian.org address and use utf-8. + * Don't repeat Priority/Section in the binary package entry. + * Add watch file. + * Only build-dep and enable selinux on linux, disable it otherwise; thanks + Cyril Brulebois; closes: #559714. + * Don't create /var/tmp/mach. + + -- Loïc Minier Mon, 19 Apr 2010 10:04:40 +0200 + +mach (0.9.1-2) unstable; urgency=low + + * Always fix perms during configure. + * Add new CentOS 5 dist file, derived trivially from CentOS 4. + + -- Loic Minier Thu, 19 Apr 2007 18:25:46 +0200 + +mach (0.9.1-1) unstable; urgency=low + + * New upstream release. + + -- Loic Minier Thu, 19 Apr 2007 15:23:24 +0200 + +mach (0.9.0.2-1) unstable; urgency=low + + * Initial release; closes: #396611. + + -- Loic Minier Mon, 30 Oct 2006 20:20:59 +0100