From 1a92cb59634d7b0222bb1b6a65737595c3101f8c Mon Sep 17 00:00:00 2001 From: Albert S Date: Tue, 28 Jun 2022 23:36:04 +0200 Subject: [PATCH] build: Run as root generally, drop privs on download/bundle --- build | 16 ++++++++-------- scripts/2-create.sh | 1 - 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/build b/build index 1830c3a..5953d21 100755 --- a/build +++ b/build @@ -2,13 +2,13 @@ set -e [ -d cache ] || mkdir cache SPAWN="systemd-nspawn -M gentoolooqsbuilder -D gentoo --bind=$(realpath ./out):/out --bind=$(realpath scripts):/scripts --bind=$(realpath cache):/var/cache/distfiles" +export UNPRIVUSER="user" - -SETUPSCRIPT="/scripts/3-setup-gentoo.sh" -BUILDSCRIPT="/scripts/4-build-looqs.sh" -./scripts/1-create.sh -sudo ./scripts/2-create.sh `whoami` -sudo ${SPAWN} /${SETUPSCRIPT} -sudo ${SPAWN} su - builder -c /${BUILDSCRIPT} -./scripts/5-bundle.sh +su $UNPRIVUSER -c ./scripts/1-create.sh +./scripts/2-create.sh +${SPAWN} /scripts/3-setup-gentoo.sh +chown "$UNPRIVUSER" -R out +${SPAWN} su - builder -c /scripts/4-build-looqs.sh +chown "$UNPRIVUSER" -R out +su $UNPRIVUSER -c "cd $(pwd); ./scripts/5-bundle.sh" diff --git a/scripts/2-create.sh b/scripts/2-create.sh index c51016e..bb7b820 100755 --- a/scripts/2-create.sh +++ b/scripts/2-create.sh @@ -6,5 +6,4 @@ mkdir out mkdir out/lib mkdir out/bin chmod -R 755 out -chown -R "$1" out tar xfp hardened.tar.xz -C gentoo