Mailinglist Archive: opensuse-buildservice (166 mails)

< Previous Next >
Re: [opensuse-buildservice] run commands from spec file as root
On Wednesday 14 May 2014, Adrian Schröter wrote:
On Mittwoch, 14. Mai 2014, 13:05:36 wrote Jan Engelhardt:
On Wednesday 2014-05-14 12:55, Bernhard Voelker wrote:
On 05/14/2014 11:11 AM, Ruediger Meier wrote:
IMO this is a general use case, worth to think about, see for
example $ osc rbl -s Base:System coreutils-testsuite
openSUSE_Factory i586 |\ grep "must be run as root"
setgid.sh: skipped test: must be run as root
basic.sh: skipped test: must be run as root
cp-a-selinux.sh: skipped test: must be run as root
preserve-gid.sh: skipped test: must be run as root
special-bits.sh: skipped test: must be run as root
cp-mv-enotsup-xattr.sh: skipped test: must be run as root
capability.sh: skipped test: must be run as root
[...]

I already asked that for coreutils some while ago (I'm a
co-maintainer). So if someone can point to a valid solution
- also for Factory - then I'd be grateful.

Didn't we have

#!rootneededforbuild

or so?

Yes, but it needs also an exception on the server side for that
package.

While I understand that root access is really needed for a lot of
test cases, we want to ensure that build src.rpms do not damage a
user system.

Therefor we will also not allow root for building rpms in future.

But we will work on QA features (hopefully later this year).
And I take this as input for them ...

Maybe you could do like this
If specfile contains "#!needsudoforbuild" then OBS adds silently
/etc/sudoers.d/abuild
and also provides macro %have_abuild_sudo.

rpmlint could check that any sudo is guarded by "%if %have_abuild_sudo"
to make sure that we would never call sudo from spec file even if that
paricular user has sudo permissions already.
But user is still free to provide %have_abuild_sudo on local rpmbuild
command line if he knows what he is doing.

cu,
Rudi
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >