commit 51ffb5180d0581c0edca23eec0f93106188c179b Author: Tim Biermann <tbier@posteo.de> Date: Mon May 1 22:11:53 2023 +0200 meson: cherry picked commit to not drop privileges diff --git a/meson/.signature b/meson/.signature index 4c14ea3b..20483a3b 100644 --- a/meson/.signature +++ b/meson/.signature @@ -1,5 +1,6 @@ untrusted comment: verify with /etc/ports/core.pub -RWRJc1FUaeVequz/hMZIHNXaRGHtqx2kJUMz7NORNWgscp7POaJXgoUADMVM6EH2jihQIHMbEe/CMxwa6LrqSzZjEnMGOfnF4QY= -SHA256 (Pkgfile) = 72248a1cbc83419d0d594f929af8c0b96a20059dd9bbd0a99bf44969871399e4 +RWRJc1FUaeVeqvmYbE2CqwGUSEADno/HEglN87D84HhRG51YSrVgf9LYMpQZOQ193sLy59gEEeeiO8DdS9dps1pbhtD8rxdyIws= +SHA256 (Pkgfile) = fd027de480edfed08052af5891ea903a73532d525d19340b48ae4448b0576fee SHA256 (.footprint) = a4885781bf4feba5b0d00c7d7a6162e37307d77a40091ee53a3c2ed58bad090a SHA256 (meson-1.1.0.tar.gz) = d9616c44cd6c53689ff8f05fc6958a693f2e17c3472a8daf83cee55dabff829f +SHA256 (11667.patch) = fc97514ba63212919c455a5a97d61b395ff69610c9d198af48a02c3fa8cd359b diff --git a/meson/11667.patch b/meson/11667.patch new file mode 100644 index 00000000..c89d6f0c --- /dev/null +++ b/meson/11667.patch @@ -0,0 +1,82 @@ +From 9a77c45e4192df1b89a3631aa3ce379922c4bf5c Mon Sep 17 00:00:00 2001 +From: Eli Schwartz <eschwartz@archlinux.org> +Date: Tue, 11 Apr 2023 13:11:00 -0400 +Subject: [PATCH 1/2] minstall: do not drop privileges if msetup also ran under + sudo + +A user might run `sudo somewrapper` to build and install something with +meson, and it is not actually possible to drop privileges and build, +since the build directory is also owned by root. + +A common case of this is `sudo pip install` for projects using +meson-python or other python build-backends that wrap around meson. + +Fixes #11665 +--- + mesonbuild/minstall.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mesonbuild/minstall.py b/mesonbuild/minstall.py +index c4de5c2c25b..04726b08af7 100644 +--- a/mesonbuild/minstall.py ++++ b/mesonbuild/minstall.py +@@ -788,6 +788,10 @@ def drop_privileges() -> T.Tuple[T.Optional[EnvironOrDict], T.Optional[T.Callabl + else: + return None, None + ++ if os.stat(os.path.join(wd, 'build.ninja')).st_uid != int(orig_uid): ++ # the entire build process is running with sudo, we can't drop privileges ++ return None, None ++ + env['USER'] = orig_user + env['HOME'] = homedir + + +From 3bc2236c59249f44f20f8b52ddcd7a44938ea2f0 Mon Sep 17 00:00:00 2001 +From: Eli Schwartz <eschwartz@archlinux.org> +Date: Tue, 11 Apr 2023 12:42:36 -0400 +Subject: [PATCH 2/2] minstall: work around broken environments with missing + UIDs + +Running some container-like mechanisms such as chroot(1) from sudo, can +result in a new isolated environment where the environment variables +exist but no users exist. From there, a build is performed as root but +installation fails when we try to look up the passwd database entry for +the user outside of the chroot. + +Proper container mechanisms such as systemd-nspawn, and even improper +ones like docker, sanitize this and ensure those stale environment +variables don't exist anymore. But chroot is very low-level. + +Avoid crashing when this happens. + +Fixes #11662 +--- + mesonbuild/minstall.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/mesonbuild/minstall.py b/mesonbuild/minstall.py +index 04726b08af7..b9fe7d58d8d 100644 +--- a/mesonbuild/minstall.py ++++ b/mesonbuild/minstall.py +@@ -778,10 +778,18 @@ def drop_privileges() -> T.Tuple[T.Optional[EnvironOrDict], T.Optional[T.Callabl + orig_user = env.pop('SUDO_USER') + orig_uid = env.pop('SUDO_UID', 0) + orig_gid = env.pop('SUDO_GID', 0) +- homedir = pwd.getpwuid(int(orig_uid)).pw_dir ++ try: ++ homedir = pwd.getpwuid(int(orig_uid)).pw_dir ++ except KeyError: ++ # `sudo chroot` leaves behind stale variable and builds as root without a user ++ return None, None + elif os.environ.get('DOAS_USER') is not None: + orig_user = env.pop('DOAS_USER') +- pwdata = pwd.getpwnam(orig_user) ++ try: ++ pwdata = pwd.getpwnam(orig_user) ++ except KeyError: ++ # `doas chroot` leaves behind stale variable and builds as root without a user ++ return None, None + orig_uid = pwdata.pw_uid + orig_gid = pwdata.pw_gid + homedir = pwdata.pw_dir diff --git a/meson/Pkgfile b/meson/Pkgfile index 3b977a3d..604025cb 100644 --- a/meson/Pkgfile +++ b/meson/Pkgfile @@ -5,12 +5,15 @@ name=meson version=1.1.0 -release=1 -source=(https://github.com/mesonbuild/meson/releases/download/$version/$name-$versio...) +release=2 +source=(https://github.com/mesonbuild/meson/releases/download/$version/$name-$versio... + 11667.patch) build() { cd $name-$version + patch -Np1 -i $SRC/11667.patch + /usr/bin/python3 setup.py build /usr/bin/python3 setup.py install \