fakeroot cdebootstrap: falha ao não compartilhar: operação não permitida [duplicada]

2

No Debian, quando rodando:

$ fakeroot cdebootstrap stable /tmp/foo

O cdebootstrap faz o download dos pacotes, mas quando é necessário extraí-los, recebo este erro:

E: Failed to unshare: Operation not permitted

Como posso executar o cdebootstrap como não-root?

Esta parte no manual do unshare parece relevante, mas não tenho certeza de como:

EPERM (since Linux 3.9)
              CLONE_NEWUSER was specified in flags and the caller is in a
              chroot environment (i.e., the caller's root directory does not
              match the root directory of the mount namespace in which it
              resides).
    
por Florian Margaine 29.07.2015 / 23:47

2 respostas

0

talvez / tmp seja o problema. tente

$ fakeroot cdebootstrap estável $ HOME / somedir

    
por 29.07.2015 / 23:58
0

Problema

Seu problema está relacionado à herança de permissões. cdbootstrap herdará as permissões de fakeroot , que podem ser elevadas via sudo . Problema:

sudo fakeroot cdbootstrap /tmp/foo

Se o comando acima for bem-sucedido, as permissões em /tmp serão o problema. Consulte O que é comum direitos para / tmp? Eu intencionalmente defini tudo publicamente recursivamente , para quais permissões padrão deveriam ser. Geralmente, escrever qualquer coisa em /tmp que não foi colocado lá por uma aplicação é uma má idéia, e fakeroot tem seus próprios problemas. Na página do manual:

LIMITATIONS

   Library versions
          Every command executed within fakeroot needs to be linked to the
          same version of the C library as fakeroot itself.

   open()/create()
          fakeroot  doesn't  wrap open(), create(), etc. So, if user joost
          does either

          touch foo
          fakeroot
          ls -al foo

          or the other way around,

          fakeroot
          touch foo
          ls -al foo

          fakeroot has no way of knowing that in the first case, the owner
          of  foo  really  should be joost while the second case it should
          have been root.  For the Debian packaging, defaulting to  giving
          all "unknown" files uid=gid=0, is always OK. The real way around
          this is to wrap open() and  create(),  but  that  creates  other
          problems, as demonstrated by the libtricks package. This package
          wrapped many more functions, and tried to do  a  lot  more  than
          fakeroot .  It turned out that a minor upgrade of libc (from one
          where the stat() function didn't use open() to one with a stat()
          function that did (in some cases) use open()), would cause unex-
          plainable segfaults  (that  is,  the  libc6  stat()  called  the
          wrapped  open(),  which  would then call the libc6 stat(), etc).
          Fixing them wasn't all that easy, but once fixed, it was just  a
          matter  of  time  before another function started to use open(),
          never mind trying to port it to a  different  operating  system.
          Thus  I decided to keep the number of functions wrapped by fake-
          root as small as possible, to limit the  likelihood  of  'colli-
          sions'.

   GNU configure (and other such programs)
   of the file will be 000. The bug is that if root does the same,  open()
   will succeed, as the file permissions aren't checked at all for root. I
   choose not to wrap open(), as open() is used by many other functions in
   libc  (also  those  that  are already wrapped), thus creating loops (or
   possible future loops, when the implementation of  various  libc  func-
   tions slightly change).

Melhor solução

Em vez de usar o escalonamento de privilégios para alcançar o que você está tentando fazer, considere usar um chroot adequado, conforme descrito na Documentação do DebootstrapChroot para Ubuntu , ou a Documentação Oficial Debian para DebBootStrap .

    
por 30.07.2015 / 01:24