Mailinglist Archive: opensuse-buildservice (214 mails)

< Previous Next >
[opensuse-buildservice] caching in source services
  • From: Adam Spiers <aspiers@xxxxxxxx>
  • Date: Tue, 14 Feb 2012 12:22:45 +0000
  • Message-id: <20120214122245.GG10523@southern.linksys.moosehall>
Stephan Kulow (coolo@xxxxxxx) wrote:
Am 14.02.2012 11:17, schrieb Adrian Schröter:

There are no obs boot scripts running on developer workstations who use this
just via osc.

Right! And so it's pointless to have it owned by obsrun if no obs
runs. "nobody" will do.

Well, this raises the question of security. Something called
/var/cache/obs is clearly system-wide, but we don't want to allow
multiple users on a non-OBS-server share the same cache (01777
permissions), because one user could poison the cache and cause
another user to build trojaned packages. 01755 would work for the
download_files service, but not for tar_scm where any user needs to be
able to trigger an update of an existing cache entry (e.g. git pull).

One way to do make cache poisoning difficult would be to make the
source service set[ug]id obsrun, but of course history has shown that
making a shellscript set[ug]id is generally a Bad Idea, and it still
wouldn't protect against network hijacking.

So maybe the best option is to stick with per-user caching, which is
of course safe. I don't think it would be too wasteful, because in
most cases outside the OBS server, there is only one developer per
machine, and even if there are more, they are most likely building
different packages anyway. obsrun and /var/cache/obs would only be
used on the build server, so they should be set up by an obs-server /
obs-filesystem package or similar, not the source services. If you
agree, I'll remove them from the .spec files.

When I added this caching layer to the tar_scm source service, I
copied Adrian's configuration pattern from the download_files service:

# config options for this host ?
if [ -f /etc/obs/services/$SERVICE ]; then
. /etc/obs/services/$SERVICE
fi
# config options for this user ?
if [ -f "$HOME"/.obs/$SERVICE ]; then
. "$HOME"/.obs/$SERVICE
fi

So then the server-only package would set up /etc/obs/services too.
It would be nice if something automatically enabled the per-user cache
though. Maybe osc could do this?
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups