Re: Is it secure to just sign repository databases?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 6/17/19 12:38 PM, Manuel Reimer wrote:
> On 17.06.19 18:18, Eli Schwartz via arch-general wrote:
>> That being said, it's possible to configure sudo to run makechrootpkg,
>> but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=...
>> makechrootpkg.
> 
> I've tried several times to just launch makechrootpkg with root
> privileges directly. As makechrootpkg drops to a unprivileged user
> inside the chroot, this should be perfectly safe.
> 
> But I always ran into errors saying that makepkg is not allowed to be
> run as root.
> 
> Does your SUDO_USER=... SUDO_UID=... command line allow to directly
> launch as root without needing sudo at all? This is what I would need to
> make my autobuild work.

makechrootpkg uses the SUDO_USER/SUDO_UID variables to check which user
it should use when dropping privileges while running makepkg
--verifysource. By setting the variables, you thereby pretend to
makechrootpkg that it has been run via sudo.

Not doing *anything* to check which user to drop privileges to, is the
reason why running makechrootpkg as root is usually not going to work.

>> Yes -- do all signing locally, after the package leaves the build VM. If
>> something goes wrong on the VM, you can remove the relevant packages
>> without, say, revoking your key, so the security issue is less drastic.
> 
> This would also be a possible way. Sign packages where the signature is
> outdated, delete signatures that don't belong to packages and finally
> repo-add the whole stuff after deleting the db file.
> 
> Is there a better tool as repo-add/repo-remove? I've been searching for
> some "repo-update" tool for quite a while now. A smart tool which
> doesn't recreate stuff and just updates a DB file would be pretty handy.

repo-add generally works pretty well, it doesn't recreate stuff anyway
-- it unpacks the DB, adds the files you've specified to the DB, and
then repacks the DB. If you're looking for something which scans a
directory to find files which need to be updated, you can try "repose",
but it has conflicting behavior as compared to repo-add, so you cannot
mix and match repo-add and repose.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux