Mailinglist Archive: opensuse-buildservice (166 mails)

< Previous Next >
Re: [opensuse-buildservice] run commands from spec file as root
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Wed, 14 May 2014 17:57:40 +0200
  • Message-id: <53739274.9010603@suse.de>
Adrian Schröter wrote:
On Mittwoch, 14. Mai 2014, 13:05:36 wrote Jan Engelhardt:
On Wednesday 2014-05-14 12:55, Bernhard Voelker wrote:

On 05/14/2014 11:11 AM, Ruediger Meier wrote:
IMO this is a general use case, worth to think about, see for example
$ osc rbl -s Base:System coreutils-testsuite openSUSE_Factory i586 |\
grep "must be run as root"
setgid.sh: skipped test: must be run as root
basic.sh: skipped test: must be run as root
cp-a-selinux.sh: skipped test: must be run as root
preserve-gid.sh: skipped test: must be run as root
special-bits.sh: skipped test: must be run as root
cp-mv-enotsup-xattr.sh: skipped test: must be run as root
capability.sh: skipped test: must be run as root
[...]

I already asked that for coreutils some while ago (I'm a
co-maintainer). So if someone can point to a valid solution
- also for Factory - then I'd be grateful.

Didn't we have

#!rootneededforbuild

or so?

Yes, but it needs also an exception on the server side for that package.

While I understand that root access is really needed for a lot of test cases,
we want to ensure that build src.rpms do not damage a user system.

You cannot guarantee that with chroot anyways. After all a package
could buildrequire another one that does something nasty in %post as
root. So disallowing build as root just adds one level of
indirection but doesn't prevent any code from getting executed as
root.
So the idea of having an extra package that configures the system in
a way that the abuild user is allowed to run stuff as root doesn't
sound too bad to me. The package could even be set up in a way that
it cannot be installed outside of build environments by means of
invalid requires, just like various *-mini packages do.
To avoid an extra build requirement on sudo a line like

auth sufficient pam_succeed_if.so use_uid user = abuild

in /etc/pam.d/su-l would do as well.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups