scripts/mkimage.sh: non-root cleanup fixes (!26263) · Merge requests · alpine / aports

Stanislav Kholmanskikh requested to merge skholman/aports:mkimage-non-root-cleanup into master Oct 08, 2021

Hi!

This PR addresses two issues:

even if executed under a non-root user mkimage.sh leaves several root-owned files in its workdir, and so cleaning up the workdir requires root privileges
when it finishes, it doesn't remove mktemp created WORKDIR thus "polluting" the temporary directory (/tmp, $TMPDIR)

I'm not 100% sure that using apk instead of abuild-apk is legit there. It seems to be working fine, as the generated iso and minirootfs files work fine. abuild-apk is there since the creation of the script. So I'd highly appreciate if someone with more experience can confirm that using apk here is perfectly fine.

Thanks.

alpine01:~/aports/scripts$ id
uid=1000(stas) gid=1000(stas) groups=10(wheel),300(abuild),1000(stas)
alpine01:~/aports/scripts$ mkdir /tmp/workdir
alpine01:~/aports/scripts$ ./mkimage.sh --profile minirootfs --repository http://mirror.yandex.ru/mirrors/alpine/v3.14/main --workdir /tmp/workdir
OK: 0 MiB in 0 packages
fetch http://mirror.yandex.ru/mirrors/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
v3.14.2-83-g04ade1dae3 [http://mirror.yandex.ru/mirrors/alpine/v3.14/main]
OK: 4791 distinct packages available
>>> mkimage-x86_64: Building minirootfs
>>> mkimage-x86_64: Creating alpine-minirootfs-211008-x86_64.tar.gz
http://mirror.yandex.ru/mirrors/alpine/v3.14/main
fetch http://mirror.yandex.ru/mirrors/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
(1/14) Installing musl (1.2.2-r3)
(2/14) Installing busybox (1.33.1-r3)
(3/14) Installing alpine-baselayout (3.2.0-r16)
(4/14) Installing alpine-keys (2.3-r1)
(5/14) Installing libcrypto1.1 (1.1.1l-r0)
(6/14) Installing libssl1.1 (1.1.1l-r0)
(7/14) Installing ca-certificates-bundle (20191127-r5)
(8/14) Installing libretls (3.3.3p1-r2)
(9/14) Installing ssl_client (1.33.1-r3)
(10/14) Installing zlib (1.2.11-r3)
(11/14) Installing apk-tools (2.12.7-r0)
(12/14) Installing scanelf (1.3.2-r0)
(13/14) Installing musl-utils (1.2.2-r3)
(14/14) Installing libc-utils (0.7.2-r3)
OK: 6 MiB in 14 packages
Images generated in /home/stas/aports/scripts
alpine01:~/aports/scripts$ ls -l /tmp/workdir/
total 8
drwxr-xr-x    8 stas     stas          4096 Oct  8 17:15 apkroot-x86_64
drwxr-xr-x    2 stas     stas          4096 Oct  8 17:15 image-da39a3ee5e6b4b0d3255bfef95601890afd80709-x86_64-minirootfs
alpine01:~/aports/scripts$ rm -rf /tmp/workdir/apkroot-x86_64/
rm: can't remove '/tmp/workdir/apkroot-x86_64/var/cache/apk': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/var/cache/misc': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/dev/null': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/dev/console': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/dev/zero': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/dev/urandom': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/dev/random': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/lib/apk/db/scripts.tar': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/lib/apk/db/triggers': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/lib/apk/db/lock': Permission denied
rm: can't remove '/tmp/workdir/apkroot-x86_64/lib/apk/db/installed': Permission denied
alpine01:~/aports/scripts$ ls -l /tmp/workdir/apkroot-x86_64/dev/null 
crw-rw-rw-    1 root     root        1,   3 Oct  8 17:15 /tmp/workdir/apkroot-x86_64/dev/null
alpine01:~/aports/scripts$

scripts/mkimage.sh: non-root cleanup fixes

Merge request reports