On Wed, May 14, 2014 at 11:57 AM, Ludwig Nussel <ludwig.nussel@suse.de> wrote:
Adrian Schröter wrote:
On Mittwoch, 14. Mai 2014, 13:05:36 wrote Jan Engelhardt:
On Wednesday 2014-05-14 12:55, Bernhard Voelker wrote:
On 05/14/2014 11:11 AM, Ruediger Meier wrote:
IMO this is a general use case, worth to think about, see for example $ osc rbl -s Base:System coreutils-testsuite openSUSE_Factory i586 |\ grep "must be run as root" setgid.sh: skipped test: must be run as root basic.sh: skipped test: must be run as root cp-a-selinux.sh: skipped test: must be run as root preserve-gid.sh: skipped test: must be run as root special-bits.sh: skipped test: must be run as root cp-mv-enotsup-xattr.sh: skipped test: must be run as root capability.sh: skipped test: must be run as root [...]
I already asked that for coreutils some while ago (I'm a co-maintainer). So if someone can point to a valid solution - also for Factory - then I'd be grateful.
Didn't we have
#!rootneededforbuild
or so?
Yes, but it needs also an exception on the server side for that package.
While I understand that root access is really needed for a lot of test cases, we want to ensure that build src.rpms do not damage a user system.
You cannot guarantee that with chroot anyways. After all a package could buildrequire another one that does something nasty in %post as root. So disallowing build as root just adds one level of indirection but doesn't prevent any code from getting executed as root. So the idea of having an extra package that configures the system in a way that the abuild user is allowed to run stuff as root doesn't sound too bad to me. The package could even be set up in a way that it cannot be installed outside of build environments by means of invalid requires, just like various *-mini packages do. To avoid an extra build requirement on sudo a line like
auth sufficient pam_succeed_if.so use_uid user = abuild
in /etc/pam.d/su-l would do as well.
When I was packaging for OpenCSW (Solaris) we used Debians 'fakeroot' to work around running as non-root users. While it's not currently available it might be an option. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org