Adrian Schröter wrote:
On Mittwoch, 14. Mai 2014, 13:05:36 wrote Jan Engelhardt:
On Wednesday 2014-05-14 12:55, Bernhard Voelker wrote:
On 05/14/2014 11:11 AM, Ruediger Meier wrote:
IMO this is a general use case, worth to think about, see for example $ osc rbl -s Base:System coreutils-testsuite openSUSE_Factory i586 |\ grep "must be run as root" setgid.sh: skipped test: must be run as root basic.sh: skipped test: must be run as root cp-a-selinux.sh: skipped test: must be run as root preserve-gid.sh: skipped test: must be run as root special-bits.sh: skipped test: must be run as root cp-mv-enotsup-xattr.sh: skipped test: must be run as root capability.sh: skipped test: must be run as root [...]
I already asked that for coreutils some while ago (I'm a co-maintainer). So if someone can point to a valid solution - also for Factory - then I'd be grateful.
Didn't we have
#!rootneededforbuild
or so?
Yes, but it needs also an exception on the server side for that package.
While I understand that root access is really needed for a lot of test cases, we want to ensure that build src.rpms do not damage a user system.
You cannot guarantee that with chroot anyways. After all a package could buildrequire another one that does something nasty in %post as root. So disallowing build as root just adds one level of indirection but doesn't prevent any code from getting executed as root. So the idea of having an extra package that configures the system in a way that the abuild user is allowed to run stuff as root doesn't sound too bad to me. The package could even be set up in a way that it cannot be installed outside of build environments by means of invalid requires, just like various *-mini packages do. To avoid an extra build requirement on sudo a line like auth sufficient pam_succeed_if.so use_uid user = abuild in /etc/pam.d/su-l would do as well. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org