synit
/
pmbootstrap
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
pmbootstrap/pmb/chroot/distccd.py

251 lines
8.6 KiB
Python
Raw Normal View History

Happy new year 2022!
2022-01-02 21:38:21 +00:00
# Copyright 2022 Oliver Smith
Cosmetic: use SPDX license header (!1877) While at it, also remove unnecessary "#!/usr/bin/env python3" in files that only get imported, and adjust other empty/comment lines in the beginnings of the files for consistency. This makes files easier to read, and makes the pmbootstrap codebase more consistent with the build.postmarketos.org codebase.
2020-02-20 20:07:28 +00:00
# SPDX-License-Identifier: GPL-3.0-or-later
Various distccd related improvements, mostly respect --verbose (#216) I've done some refactoring while debugging #209. * Unused file `pmb/build/crosscompiler.py` removed (that was a left over from `_pmb_build_in_native_chroot` hack * Do verbose logging in distccd, when `pmbootstrap --verbose` is being invoked * Restart distccd, when the commandline has changed (e.g. when the currently running version was not verbose, and the new one is verbose.) Prior to this change, it only got restarted, when the architecture changed (so it did not allow changing the job count on the fly for example). * Insert missing whitespace in arguments help.
2017-07-21 16:25:52 +00:00
import errno
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
import json
Hello, there!
2017-05-26 20:08:45 +00:00
import logging
import os
import pmb.chroot
import pmb.config
import pmb.chroot.apk
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
""" Packages for foreign architectures (e.g. armhf) get built in chroots
running with QEMU. While this works, it is painfully slow. So we speed it
up by using distcc to let cross compilers running in the native chroots do
the heavy lifting.
Hello, there!
2017-05-26 20:08:45 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
This file sets up an SSH server in the native chroot, which will then be
used by the foreign arch chroot to communicate with the distcc daemon. We
make sure that only the foreign arch chroot can connect to the sshd by only
listening on localhost, as well as generating dedicated ssh keys.
Using the SSH server instead of running distccd directly is a security
measure. Distccd does not authenticate its clients and would therefore
allow any process of the host system (not related to pmbootstrap) to
execute compilers in the native chroot. By modifying the compiler's options
or sending malicious data to the compiler, it is likely that the process
can gain remote code execution [1]. That way, a compromised, but sandboxed
process could gain privilege escalation.
[1]: <https://github.com/distcc/distcc/issues/155#issuecomment-374014645>
"""
def init_server(args):
Various distccd related improvements, mostly respect --verbose (#216) I've done some refactoring while debugging #209. * Unused file `pmb/build/crosscompiler.py` removed (that was a left over from `_pmb_build_in_native_chroot` hack * Do verbose logging in distccd, when `pmbootstrap --verbose` is being invoked * Restart distccd, when the commandline has changed (e.g. when the currently running version was not verbose, and the new one is verbose.) Prior to this change, it only got restarted, when the architecture changed (so it did not allow changing the job count on the fly for example). * Insert missing whitespace in arguments help.
2017-07-21 16:25:52 +00:00
"""
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
Install dependencies and generate keys for the server.
Various distccd related improvements, mostly respect --verbose (#216) I've done some refactoring while debugging #209. * Unused file `pmb/build/crosscompiler.py` removed (that was a left over from `_pmb_build_in_native_chroot` hack * Do verbose logging in distccd, when `pmbootstrap --verbose` is being invoked * Restart distccd, when the commandline has changed (e.g. when the currently running version was not verbose, and the new one is verbose.) Prior to this change, it only got restarted, when the architecture changed (so it did not allow changing the job count on the fly for example). * Insert missing whitespace in arguments help.
2017-07-21 16:25:52 +00:00
"""
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
# Install dependencies
pmb.chroot.apk.install(args, ["arch-bin-masquerade", "distcc",
"openssh-server"])
# Config folder (nothing to do if existing)
dir = "/home/pmos/.distcc-sshd"
dir_outside = args.work + "/chroot_native" + dir
if os.path.exists(dir_outside):
return
Hello, there!
2017-05-26 20:08:45 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
# Generate keys
logging.info("(native) generate distcc-sshd server keys")
pmb.chroot.user(args, ["mkdir", "-p", dir + "/etc/ssh"])
pmb.chroot.user(args, ["ssh-keygen", "-A", "-f", dir])
Hello, there!
2017-05-26 20:08:45 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
def init_client(args, suffix):
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
"""
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
Install dependencies and generate keys for the client.
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
"""
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
# Install dependencies
pmb.chroot.apk.install(args, ["arch-bin-masquerade", "distcc",
"openssh-client"], suffix)
# Public key path (nothing to do if existing)
pub = "/home/pmos/id_ed25519.pub"
pub_outside = args.work + "/chroot_" + suffix + pub
if os.path.exists(pub_outside):
return
# Generate keys
logging.info("(" + suffix + ") generate distcc-sshd client keys")
pmb.chroot.user(args, ["ssh-keygen", "-t", "ed25519", "-N", "",
"-f", "/home/pmos/.ssh/id_ed25519"], suffix)
pmb.chroot.user(args, ["cp", "/home/pmos/.ssh/id_ed25519.pub", pub],
suffix)
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
def configure_authorized_keys(args, suffix):
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
"""
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
Exclusively allow one foreign arch chroot to access the sshd.
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
"""
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
auth = "/home/pmos/.distcc-sshd/authorized_keys"
auth_outside = args.work + "/chroot_native/" + auth
pub = "/home/pmos/id_ed25519.pub"
pub_outside = args.work + "/chroot_" + suffix + pub
pmb.helpers.run.root(args, ["cp", pub_outside, auth_outside])
def configure_cmdlist(args, arch):
"""
Create a whitelist of all the cross compiler wrappers.
Distcc 3.3 and above requires such a whitelist, or else it will only run
with the --make-me-a-botnet parameter (even in ssh mode).
"""
dir = "/home/pmos/.distcc-sshd"
with open(args.work + "/chroot_native/tmp/cmdlist", "w") as handle:
for cmd in ["c++", "cc", "cpp", "g++", "gcc"]:
cmd_full = "/usr/lib/arch-bin-masquerade/" + arch + "/" + cmd
handle.write(cmd_full + "\n")
pmb.chroot.root(args, ["mv", "/tmp/cmdlist", dir + "/cmdlist"])
pmb.chroot.user(args, ["cat", dir + "/cmdlist"])
def configure_distccd_wrapper(args):
"""
Wrap distccd in a shell script, so we can pass the compiler whitelist and
set the verbose flag (when pmbootstrap is running with --verbose).
"""
dir = "/home/pmos/.distcc-sshd"
with open(args.work + "/chroot_native/tmp/wrapper", "w") as handle:
handle.write("#!/bin/sh\n"
"export DISTCC_CMDLIST='" + dir + "/cmdlist'\n"
"distccd --log-file /home/pmos/distccd.log --nice 19")
if args.verbose:
handle.write(" --verbose")
handle.write(" \"$@\"\n")
pmb.chroot.root(args, ["mv", "/tmp/wrapper", dir + "/distccd"])
pmb.chroot.user(args, ["cat", dir + "/distccd"])
pmb.chroot.root(args, ["chmod", "+x", dir + "/distccd"])
def configure_sshd(args):
"""
Configure the SSH daemon in the native chroot.
"""
dir = "/home/pmos/.distcc-sshd"
config = """AllowAgentForwarding no
AllowTcpForwarding no
AuthorizedKeysFile /home/pmos/.distcc-sshd/authorized_keys
HostKey /home/pmos/.distcc-sshd/etc/ssh/ssh_host_ed25519_key
ListenAddress 127.0.0.1
PasswordAuthentication no
PidFile /home/pmos/.distcc-sshd/sshd.pid
Port """ + args.port_distccd + """
X11Forwarding no"""
with open(args.work + "/chroot_native/tmp/cfg", "w") as handle:
for line in config.split("\n"):
handle.write(line.lstrip() + "\n")
pmb.chroot.root(args, ["mv", "/tmp/cfg", dir + "/sshd_config"])
pmb.chroot.user(args, ["cat", dir + "/sshd_config"])
def get_running_pid(args):
"""
:returns: the running distcc-sshd's pid as integer or None
"""
# PID file must exist
pidfile = "/home/pmos/.distcc-sshd/sshd.pid"
pidfile_outside = args.work + "/chroot_native" + pidfile
if not os.path.exists(pidfile_outside):
return None
Hello, there!
2017-05-26 20:08:45 +00:00
# Verify, if it still exists by sending a kill signal
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
with open(pidfile_outside, "r") as handle:
pid = int(handle.read()[:-1])
Hello, there!
2017-05-26 20:08:45 +00:00
try:
os.kill(pid, 0)
except OSError as err:
if err.errno == errno.ESRCH: # no such process
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
pmb.helpers.run.root(args, ["rm", pidfile_outside])
return None
return pid
def get_running_parameters(args):
"""
Get the parameters of the currently running distcc-sshd instance.
:returns: a dictionary in the form of
{"arch": "armhf", "port": 1234, "verbose": False}
If the information can not be read, "arch" is set to "unknown"
"""
# Return defaults
path = args.work + "/chroot_native/tmp/distcc_sshd_parameters"
if not os.path.exists(path):
return {"arch": "unknown", "port": 0, "verbose": False}
# Parse the file as JSON
with open(path, "r") as handle:
return json.loads(handle.read())
def set_running_parameters(args, arch):
"""
Set the parameters of the currently running distcc-sshd instance.
"""
parameters = {"arch": arch,
"port": args.port_distccd,
"verbose": args.verbose}
path = args.work + "/chroot_native/tmp/distcc_sshd_parameters"
with open(path, "w") as handle:
json.dump(parameters, handle)
def is_running_with_same_parameters(args, arch):
"""
Check whether we can use the already running distcc-sshd instance with our
current set of parameters. In case we can use it directly, we save some
time, otherwise we need to stop it, configure it again, and start it once
more.
"""
if not get_running_pid(args):
return False
parameters = get_running_parameters(args)
return (parameters["arch"] == arch and
parameters["port"] == args.port_distccd and
parameters["verbose"] == args.verbose)
def stop(args):
"""
Kill the sshd process (by using its pid).
"""
pid = get_running_pid(args)
if not pid:
return
parameters = get_running_parameters(args)
logging.info("(native) stop distcc-sshd (" + parameters["arch"] + ")")
pmb.chroot.user(args, ["kill", str(pid)])
Hello, there!
2017-05-26 20:08:45 +00:00
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
def start(args, arch):
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
"""
Set up a new distcc-sshd instance or use an already running one.
"""
if is_running_with_same_parameters(args, arch):
Hello, there!
2017-05-26 20:08:45 +00:00
return
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
stop(args)
Hello, there!
2017-05-26 20:08:45 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
# Initialize server and client
suffix = "buildroot_" + arch
init_server(args)
init_client(args, suffix)
Various distccd related improvements, mostly respect --verbose (#216) I've done some refactoring while debugging #209. * Unused file `pmb/build/crosscompiler.py` removed (that was a left over from `_pmb_build_in_native_chroot` hack * Do verbose logging in distccd, when `pmbootstrap --verbose` is being invoked * Restart distccd, when the commandline has changed (e.g. when the currently running version was not verbose, and the new one is verbose.) Prior to this change, it only got restarted, when the architecture changed (so it did not allow changing the job count on the fly for example). * Insert missing whitespace in arguments help.
2017-07-21 16:25:52 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
logging.info("(native) start distcc-sshd (" + arch + ") on 127.0.0.1:" +
args.port_distccd)
Official support for aarch64 (#84) * Fix hardcoded `armhf` in pmb/aportgen/binutils.py * Generate aports: `binutils-aarch64`, `musl-aarch64`, `gcc-aarch64` * Distccd: Remember the cross-compiler architecture (currently armhf or aarch64), that the current distccd is running as, and restart distccd with the correct architecture, in case a different arch is needed than what it is currently running as. (Depending on the cross-compiler arch, the PATH variable gets adjusted before starting distccd) * Testcases: add aport generation for aarch64, add cross-compiling to aarch64 * pmb/parse/arch.py: Add aarch64 to the mapping
2017-06-14 17:10:21 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
# Configure server parameters (arch, port, verbose)
configure_authorized_keys(args, suffix)
configure_distccd_wrapper(args)
configure_cmdlist(args, arch)
configure_sshd(args)
Hello, there!
2017-05-26 20:08:45 +00:00
pmb: adjust to distcc 3.3 and wrap it with sshd Overview: Since Alpine updated to distcc 3.3 last week, pmbootstrap wasn't able to use distcc for cross compilation anymore. It always falled back to running the compiler in QEMU (which works, but is a lot slower). The reason for that is, that distcc requires all compilers that are being used in a whitelist now. This partially fixes CVE-2004-2687 in distccd, which allowed trivial remote code execution by any process connecting to the distccd server. We only run distccd on localhost, but still this can be used for privilege escalation of sandboxed processes running on the host system (not part of pmbootstrap chroots). Because the CVE is only partially fixed (see the comment in `pmb/chroot/distccd.py` for details), we make sure that only the building chroots can talk to the distcc server by running distcc over ssh. Details: * Completely refactored `pmb/chroot/distccd.py` to run distcc over ssh * Store the running distcc server's arguments as JSON now, not as INI * Make debugging distcc issues easy: * Set DISTCC_BACKOFF_PERIOD=0, so the distcc client will not ignore the server after errors happened (this masks the original error!) * New pmbootstrap parameters: * `--distcc-nofallback`: avoids falling back to compiling with QEMU and not throwing an error * `--ccache-disable`: avoid ccache (when the compiler output is cached, distcc does not get used) * `--verbose` prints verbose output of the distcc too * New test case, that uses the new pmbootstrap parameters to force compilation through distcc, and shows the output of distcc and distccd in verbose mode on error (as well as the log of sshd)
2018-07-25 19:09:45 +00:00
# Run
dir = "/home/pmos/.distcc-sshd"
pmb.chroot.user(args, ["/usr/sbin/sshd", "-f", dir + "/sshd_config",
"-E", dir + "/log.txt"])
set_running_parameters(args, arch)