Re: [yocto] error when try to use sudo command in recipe

Wed, 05 Apr 2023 09:18:10 -0700 

This problem just bumped into my head so I did a little more investigation.
The root cause is that bitbake-worker uses a new user namespace if possible.
The commit in bitbake/poky repo is the following one.
“””
bitbake: utils: Add disable_network function
“””
The key codes are: libc.unshare(CLONE_NEWNET | CLONE_NEWUSER)

To make things work in your case, the simplest way is to set: 
do_install[network] = “1”, so that the above codes are not run for this task.

Regards,
Qi

From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf Of 
Chen Qi via lists.yoctoproject.org
Sent: Tuesday, April 4, 2023 6:02 PM
To: Adrian Dudau <adrian.du...@keyfactor.com>; Bruce Ashfield 
<bruce.ashfi...@gmail.com>
Cc: Khem Raj <raj.k...@gmail.com>; yocto@lists.yoctoproject.org
Subject: Re: [yocto] error when try to use sudo command in recipe

I haven’t done any further investigation, but I don’t think this problem is 
related to pseudo.
On one hand, /usr directory is ignored as it’s in PSEUDO_IGNORE_PATHS; on the 
other hand, LD_PRELOAD does not have effect on setuid programs such as sudo.

Unfortunately I don’t have any clue. Another trick Yocto does is uninative. Not 
sure if it’s related.

Regards,
Qi


From: yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> 
<yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>> On Behalf 
Of Adrian Dudau
Sent: Tuesday, April 4, 2023 4:00 PM
To: Bruce Ashfield <bruce.ashfi...@gmail.com<mailto:bruce.ashfi...@gmail.com>>
Cc: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>>; 
yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>
Subject: Re: [yocto] error when try to use sudo command in recipe

I sent an email to the meta-virtualization list describing what I'm trying to 
achieve and see if others have further ideas.

However, I would still like to continue investigating this sudo bug as it is 
quite annoying.
Even when running under pseudo, I don't see why the binary would show as not 
owned by the root user.
Dropping down to the devshell, the binary seems to have the right owner:

 ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 232416 Mar  1 13:59 /usr/bin/sudo

So any other input to put me on the right tracks would be appreciated.

--Adrian


________________________________
From: Bruce Ashfield <bruce.ashfi...@gmail.com<mailto:bruce.ashfi...@gmail.com>>
Sent: Monday, April 3, 2023 5:59 PM
To: Adrian Dudau <adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>>
Cc: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>>; 
yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> 
<yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>>
Subject: Re: [yocto] error when try to use sudo command in recipe

You don't often get email from 
bruce.ashfi...@gmail.com<mailto:bruce.ashfi...@gmail.com>. Learn why this is 
important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!!AjveYdw8EvQ!bCVRr1HPLpArLcLWGZ8guexuGI6P-mtViLkvOaqoTEec50HxhNr5MJU5YyEGoFz6H9KnzCOprmCRTwLuNYQfP_E0iZSbJQ$>
CAUTION: External Sender - Be cautious when clicking links or opening 
attachments. Please email info...@keyfactor.com<mailto:info...@keyfactor.com> 
with any questions.



On Mon, Apr 3, 2023 at 11:42 AM Adrian Dudau 
<adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>> wrote:
Hi Khem,

Thanks for the reply, though I am not sure I fully understand the first part of 
your answer. I'm trying to do something similar to the thread creator, i.e 
running "podman pull" at build time to populate an image store that I can later 
install into the target rootfs.


FWIW. The above is something that I have almost working, but had to drop the 
completion of the support for the upcoming release (it was too late, and I had 
to get some kernel changes done). I'm hoping to have something usable in the 
next few months.

If you are trying to generate containers (I don't recommend pulling them) and 
installing them into a container store that is part of the rootfs, then 
collaborating on the meta-virtualization mailing list is a good starting point.

Bruce


Still, I am failing to understand why /usr/bin/sudo doesn't show up as owned by 
the root user, even when running under pseudo. Also, why has this changed 
between Dunfell and master and where exactly has the changed happened..

Best regards,
--Adrian
________________________________
From: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>>
Sent: Monday, April 3, 2023 4:57 PM
To: Adrian Dudau <adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>>
Cc: yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> 
<yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>>
Subject: Re: [yocto] error when try to use sudo command in recipe

You don't often get email from raj.k...@gmail.com<mailto:raj.k...@gmail.com>. 
Learn why this is 
important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!!AjveYdw8EvQ!bCVRr1HPLpArLcLWGZ8guexuGI6P-mtViLkvOaqoTEec50HxhNr5MJU5YyEGoFz6H9KnzCOprmCRTwLuNYQfP_E0iZSbJQ$>
CAUTION: External Sender - Be cautious when clicking links or opening 
attachments. Please email info...@keyfactor.com<mailto:info...@keyfactor.com> 
with any questions.



On Mon, Apr 3, 2023 at 12:25 AM 
<adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>> wrote:
On Mon, Feb 6, 2023 at 01:13 AM, Richard Purdie wrote:
Hi Richard,

Jumping on this thread to provide some clarifications as I hit the same bug.
I can confirm that this is not an environment issue. I could reproduce it by 
adding a sudo call in an empty recipe like this:

SUMMARY = ""
HOMEPAGE = ""
LICENSE = ""
SECTION = ""
DEPENDS = ""

SRC_URI = ""

do_install() {
    ls -l /usr/bin/sudo
    sudo ls -l /usr/bin/sudo
}

Build already use a fake root environment using pseudo to intercept the calls 
so this might not be out of line here. What is the original issue you are 
running into ?



Running bitbake barebone on my x86 machine produces this error:

| -rwxr-xr-x 1 nobody 65534 232416 Mar  1 13:59 /usr/bin/sudo
| sudo: /etc/sudo.conf is owned by uid 65534, should be 0
| sudo: /etc/sudo.conf is owned by uid 65534, should be 0
| sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
| sudo: 
/usr/libexec/sudo/sudoers.so<https://urldefense.com/v3/__http:/sudoers.so__;!!AjveYdw8EvQ!bCVRr1HPLpArLcLWGZ8guexuGI6P-mtViLkvOaqoTEec50HxhNr5MJU5YyEGoFz6H9KnzCOprmCRTwLuNYQfP_HvviZJJA$>
 must be owned by uid 0
| sudo: fatal error, unable to load plugins

Indeed it seems that ownership is broken somehow in the bb environment. The 
issue was introduced somewhere between dunfell and kirkstone. I know it's a 
large timespan but it's a bit time consuming to narrow it down.

Hoping to get some help on this. I would try to investigate further myself but 
I have no idea where to start to be honest.

Best regards,
--Adrian




--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at 
its end
- "Use the force Harry" - Gandalf, Star Trek II

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#59621): https://lists.yoctoproject.org/g/yocto/message/59621
Mute This Topic: https://lists.yoctoproject.org/mt/96733939/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to