Dear hurd buildd admins, dear ssh maintainers, recap for ssh maintainers: in my package ssh-agent-filter I'm using ssh-agent in the post-build tests. There was a build failure on hurd[1] (ssh-agent not starting because libssl too old) that was only fixed by updating libssl1.1 outside the chroot.
02.01.19 21:51 Samuel Thibault:
> Oh, I see that /usr/bin/ssh-agent is setgid ssh. That's why it escapes
> the chroot (chroot() is not a privileged operation on the Hurd, and thus
> setuid/setgid have to escape the chroot to avoid security issues)
IIRC ssh-agent being setgid is to keep other processes of the same user from
extracting secret keys via ptrace, which is not a problem in my tests.
Nevertheless I see that this is a general issue that might affect or maybe
already affects other packages.
Several possible solutions and non-solutions came to my mind:
1. Disable such failing tests on hurd?
* At least I won't give up that easily. => NO.
2. Update hurd buildds to unstable?
* That seems to have happened partially in this case, but should not
become the norm.
3. Copy such setid binaries into the test's temporary directory?
* That would remove the setid bits so the binaries wouldn't escape.
* This would probably work for my package but is more of a hack and
extra work for every affected package.
4. Globally remove setid bits from executables in hurd build chroots?
* Might do more harm than good.
5. Implement/use some "privileged chroot" mode?
* Maybe there could be a per-boot switch for disabling this security
feature while allowing path translators (is this the correct term?)
only for root.
6. Use a VM instead of chroot for building packages on hurd?
* I don't know right now if there's a preexisting solution for building
in VMs without chroot and how much userspace outside the chroot
packages use while building/testing.
* This will probably incur some overhead for starting a VM, so it would
only be used for packages requiring that.
What do you think?
Grüße
Timo
[1]
https://buildd.debian.org/status/fetch.php?pkg=ssh-agent-filter&arch=hurd-i386&ver=0.5.2-1&stamp=1543022025&raw=0
signature.asc
Description: This is a digitally signed message part.
