Discussion:
Bug#1099301: libpam-tmpdir: please set TMPDIR ACLs for compatibility with subuids
Add Reply
Roberto C. Sanchez
2025-03-01 22:10:02 UTC
Reply
Permalink
Package: libpam-tmpdir
Version: 0.09+b2
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

After updating sbuild recently (to version 0.88.4~bpo12+2) I started
experiencing build failures like this:

I: Unpacking /home/roberto/.cache/sbuild/unstable-amd64.tar.zst to /tmp/user/2000/tmp.sbuild.IBpZHAqVJp...
tar: /tmp/user/2000/tmp.sbuild.IBpZHAqVJp: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
bad exit status (512) for tar
E: ABORT: Received PIPE signal (requesting cleanup and shutdown)

(the last line repeates several hundred or thousand times)

It would appear that sbuild now respects the setting of TMPDIR, and when
using it in an unshare configuration, the process is run under a subuid.

Regards,

- -Roberto

- -- System Information:
Debian Release: 12.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-31-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-tmpdir depends on:
ii libc6 2.36-9+deb12u9
ii libpam-runtime 1.5.2-6+deb12u1
ii libpam0g 1.5.2-6+deb12u1

libpam-tmpdir recommends no packages.

libpam-tmpdir suggests no packages.

- -- no debconf information
Tollef Fog Heen
2025-03-03 05:30:01 UTC
Reply
Permalink
]] "Roberto C. Sanchez"
Post by Roberto C. Sanchez
I: Unpacking /home/roberto/.cache/sbuild/unstable-amd64.tar.zst to /tmp/user/2000/tmp.sbuild.IBpZHAqVJp...
tar: /tmp/user/2000/tmp.sbuild.IBpZHAqVJp: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
bad exit status (512) for tar
E: ABORT: Received PIPE signal (requesting cleanup and shutdown)
(the last line repeates several hundred or thousand times)
It would appear that sbuild now respects the setting of TMPDIR, and when
using it in an unshare configuration, the process is run under a subuid.
This sounds like a bug in sbuild – it must reset the value of TMP/TMPDIR
when changing UIDs.

I'm not sure how libpam-tmpdir would discover any subuids for a given
user, do you have ideas here?
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Jochen Sprickerhof
2025-03-03 19:10:02 UTC
Reply
Permalink
Hi Tollef,
This sounds like a bug in sbuild – it must reset the value of TMP/TMPDIR
when changing UIDs.
I tend to disagree here. sbuild is not changing to a different user but
to a different UID of the same user. So resetting TMPDIR would mean that
sbuild would not respect any TMPDIR and I think that would be wrong.
Instead I see two options:

1. sbuild sets acls such that subuids have access to the TMPDIR.

2. Proposed by Helumt: sbuild uses O_PATH file descriptor to pass stuff
to the user namespace.

I think both options are rather suboptimal and there are more tools
running into the same problem, like mmdebstrap in #1052471. So instead
of patching every tool to work around the specifics of libpam-tmpdir I
would prefer if libpam-tmpdir would learn about subuids.
I'm not sure how libpam-tmpdir would discover any subuids for a given
user, do you have ideas here?
Maybe with libsubid-dev.

I would also be fine if we just document this problem for now.

Cheers Jochen

Loading...