/usr/share/mercurial/locale/en_US/LC_MESSAGES/hg.mo./usr/share/mercurial/locale/en_US.ISO8859-1/LC_MESSAGES/hg.mo./usr/share/mercurial/locale/en/LC_MESSAGES/hg.mo./usr/share/mercurial/locale/en.ISO8859-1/LC_MESSAGES/hg.mo./usr/share/locale-langpack/en_US/LC_MESSAGES/hg.mo./usr/share/locale-langpack/en_US.ISO8859-1/LC_MESSAGES/hg.mo./usr/share/locale-langpack/en/LC_MESSAGES/hg.mo./usr/share/locale-langpack/en.ISO8859-1/LC_MESSAGES/hg.mo.The Mercurial clone command accesses the following files form /usr/share/: It turned out to be /usr/share/ that was needed. So I added each folder one by one to the chroot until it worked. Then made sure the chroot had everything resembling SSL. I used tracefile perl script which outputs all files that are accessed by a program. So it must have something to do with either Apparmor or the chroot. Then I tried running hg clone from the host server, and it worked ! Rant: If you are going to crash/exit, just exit on the spot with a stack trace! Don't have a bunch of error handlers that obfuscate the actual error ! I'm not very good with Python or C so I just gave up. Which is called from _setSSLError which in turn is called from. Tried searching to find out what was on _ssl.c line 590 and found: PyErr_Clear() inside the function fill_and_set_sslerror. Adding the -insecure to hg clone gave the same error !Īlso found the -traceback flag while reading the Mercurial manual, but that didn't give any useful information. Reading the Mercurial manual I found the -insecure flag which skips the certificate verification. So I updated all root certificates and tried again. It wouldn’t be the first time Github change their certificate supplier/chain though, which was the root of an earlier bug. I tried to clone from another server that also uses SSL and it worked fine. Reading from the error message it seems to have something to do with SSL certificates. I cloned a repository from Github (possible with the hggit Mercrial addon). This week while going the "happy path" ( meaning everything I do have been well tested and polished, useful for when demoing the product) ![]() ![]() Which is a source management tool developed in the programming language Python. One program that users are allowed to run is Mercurial, You need root privileges to create a chroot, and the most common mistakes with chroot is not dropping the root privilege.īesides dropping the root privilege by setuid and setguid to the actual user id/group, I also use Apparmor.Īpparmor adds an additional security layer where I explicitly have to define which directories and what resources a program is able to access. There is however the chance that someone more clever then me can escape the chroot and gain full system access. The reason why I'm not using a container like LXC or Docker,īesides the extra disk space and resource use, is the time it takes too boot it up, compared to a chroot which is instant. You could say a chroot is a lighweight container. Is that I can pick which folders the user can access, it doesn't take up any extra hard drive space,Īnd the libraries and executables are the same as the host system, so they'll be updated when the host system updates. This seems a bit tedious, but the advantage So it goes "full circle":Ī request to /lib/foo, gets translated to /home/user/lib/foo, which has mounted /lib/foo. ![]() Thus I have to mount -bind those folders from the system path to the user's home dir. Only problem is that many programs require libraries located elsewhere, like in /lib/ and /usr/lib. When a program tries to read /etc/passwd it's instead reading from /home/user/etc/passwd. ![]() To add a bit of convenience and a layer of security each user is chrooted in their home directory.Ĭhroot basically means the root folder / is translated to another path, in this case the user's home folder. Often via a unix type command line interface. In the app I'm working on, a cloud based code editor, every user get's their own shell.Ī shell is an interface to put commands into a computer/server. And this week I've been dealing with an issue with chroot and SSL certificate verification, Abort: error: certificate verify failed (_ssl.c:590)īeing a "full stack" developer you often end up doing sysadmin jobs.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |