| Message ID | 20260604050245.2932931-1-bin.cao.cn@windriver.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak | expand |
I wonder if there should be a qa test for what gets installed that checks such $HOME leakage. It breaks reproducibility, for example, but Yocto AB builds everything under one user, and so won't catch it. Alex On Thu, 4 Jun 2026 at 07:02, Bin Cao via lists.openembedded.org <bin.cao.cn=windriver.com@lists.openembedded.org> wrote: > > The _sysconfig_vars__linux_x86_64-linux-gnu.json file contains a > "userbase" field that is populated from the build host user's $HOME > at build time. This leaks the build host user's home directory path > into the target rootfs. > > The existing py_package_preprocess() cleanup for this JSON file only > strips known OE build path prefixes (STAGING_DIR_TARGET, RECIPE_SYSROOT, > etc.), but the userbase value comes from the build user's $HOME > environment variable which doesn't match any of those patterns. > > Set userbase to an empty string in the packaged JSON. This is safe > because at runtime, sysconfig.get_config_vars() always recomputes > userbase by calling _getuserbase(), which resolves the actual target > user's ~/.local path dynamically. The static value in the JSON is > never used for runtime path resolution. > > Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> > --- > meta/recipes-devtools/python/python3_3.14.5.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb > index 2f821b130f..cc18e13747 100644 > --- a/meta/recipes-devtools/python/python3_3.14.5.bb > +++ b/meta/recipes-devtools/python/python3_3.14.5.bb > @@ -390,6 +390,7 @@ py_package_preprocess () { > -e 's:${RECIPE_SYSROOT_NATIVE}::g' \ > -e 's:${RECIPE_SYSROOT}::g' \ > -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \ > + -e 's|"userbase": ".*"|"userbase": ""|g' \ > ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfig_vars*.json > } > > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#238114): https://lists.openembedded.org/g/openembedded-core/message/238114 > Mute This Topic: https://lists.openembedded.org/mt/119641392/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Thanks for the comments. I added qa test in v2 patch. Verified it works as expected on both fixed & unfixed versions. Thanks, Bin -----Original Message----- From: Alexander Kanavin <alex.kanavin@gmail.com> Sent: 2026年6月4日 15:29 To: Cao, Bin (CN) <Bin.Cao.CN@windriver.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH] python3: sanitize userbase in _sysconfig_vars JSON to avoid host path leak CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. I wonder if there should be a qa test for what gets installed that checks such $HOME leakage. It breaks reproducibility, for example, but Yocto AB builds everything under one user, and so won't catch it. Alex On Thu, 4 Jun 2026 at 07:02, Bin Cao via lists.openembedded.org <bin.cao.cn=windriver.com@lists.openembedded.org> wrote: > > The _sysconfig_vars__linux_x86_64-linux-gnu.json file contains a > "userbase" field that is populated from the build host user's $HOME at > build time. This leaks the build host user's home directory path into > the target rootfs. > > The existing py_package_preprocess() cleanup for this JSON file only > strips known OE build path prefixes (STAGING_DIR_TARGET, > RECIPE_SYSROOT, etc.), but the userbase value comes from the build > user's $HOME environment variable which doesn't match any of those patterns. > > Set userbase to an empty string in the packaged JSON. This is safe > because at runtime, sysconfig.get_config_vars() always recomputes > userbase by calling _getuserbase(), which resolves the actual target > user's ~/.local path dynamically. The static value in the JSON is > never used for runtime path resolution. > > Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> > --- > meta/recipes-devtools/python/python3_3.14.5.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb > b/meta/recipes-devtools/python/python3_3.14.5.bb > index 2f821b130f..cc18e13747 100644 > --- a/meta/recipes-devtools/python/python3_3.14.5.bb > +++ b/meta/recipes-devtools/python/python3_3.14.5.bb > @@ -390,6 +390,7 @@ py_package_preprocess () { > -e 's:${RECIPE_SYSROOT_NATIVE}::g' \ > -e 's:${RECIPE_SYSROOT}::g' \ > -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \ > + -e 's|"userbase": ".*"|"userbase": ""|g' \ > > ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfig_vars*.json > } > > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#238114): > https://lists.openembedded.org/g/openembedded-core/message/238114 > Mute This Topic: https://lists.openembedded.org/mt/119641392/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.5.bb index 2f821b130f..cc18e13747 100644 --- a/meta/recipes-devtools/python/python3_3.14.5.bb +++ b/meta/recipes-devtools/python/python3_3.14.5.bb @@ -390,6 +390,7 @@ py_package_preprocess () { -e 's:${RECIPE_SYSROOT_NATIVE}::g' \ -e 's:${RECIPE_SYSROOT}::g' \ -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \ + -e 's|"userbase": ".*"|"userbase": ""|g' \ ${PKGD}/${libdir}/python${PYTHON_MAJMIN}/_sysconfig_vars*.json }
The _sysconfig_vars__linux_x86_64-linux-gnu.json file contains a "userbase" field that is populated from the build host user's $HOME at build time. This leaks the build host user's home directory path into the target rootfs. The existing py_package_preprocess() cleanup for this JSON file only strips known OE build path prefixes (STAGING_DIR_TARGET, RECIPE_SYSROOT, etc.), but the userbase value comes from the build user's $HOME environment variable which doesn't match any of those patterns. Set userbase to an empty string in the packaged JSON. This is safe because at runtime, sysconfig.get_config_vars() always recomputes userbase by calling _getuserbase(), which resolves the actual target user's ~/.local path dynamically. The static value in the JSON is never used for runtime path resolution. Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> --- meta/recipes-devtools/python/python3_3.14.5.bb | 1 + 1 file changed, 1 insertion(+)