Bug#1110942: sbuild: Possible improvement to security of shared .ccache

Tue, 12 Aug 2025 12:43:16 -0700 

Package: sbuild
Version: 0.89.3
Severity: wishlist

Hi,

Sharing $HOME/.cache/ccache with the unshare currently requires making
that directory world-writable on the host, which is icky.

I'm not familiar with unshare too much I but solved a similar problem
with podman. Both unshare and podman use UID namespaces, so maybe my
solution would work there, too.

What I did there was: in addition to the subgids (100000:65536), also
map the user's main GUID to the unshare. So that host:1000 can be
unshare:1000, and everything else is per 100000+ mapping.

Then, in the unshare, chown the mount point for CCACHE_DIR to group
1000, and add the subuid of the unshare-user to that group. That user
should now be able to write to that directory, ie on the host.

podman has its own logic to do set up such a map, and I documented it
here [1]. But podman tries to cover a multitude of use cases. In this
case, we'd only need to cover just one special group. podman also just
uses /etc/sub{u,g}id and new{u,g}idmap AFAIK, so there some be some
way to do it.

Just theoretical food for thought now, in case anyone is curious enough
to give it a try.

Best,
Christian

[1]: 
https://salsa.debian.org/rocm-team/community/team-project/-/blob/master/doc/rocm-autopkgtests-in-containers.md?ref_type=heads#mapping-container-groups-to-host-groups


-- System Information:
Debian Release: 13.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.38+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sbuild depends on:
ii  adduser         3.152
ii  libsbuild-perl  0.89.3
ii  perl            5.40.1-6

Versions of packages sbuild recommends:
ii  autopkgtest  5.49
ii  debootstrap  1.0.141
ii  iproute2     6.15.0-1
ii  mmdebstrap   1.5.7-1
pn  schroot      <none>
ii  uidmap       1:4.17.4-2

Versions of packages sbuild suggests:
ii  e2fsprogs  1.47.2-3+b3
ii  kmod       34.2-2
ii  wget       1.25.0-2

-- no debconf information

Reply via email to