On Mittwoch, 14. Mai 2014, 13:05:36 wrote Jan Engelhardt:
On Wednesday 2014-05-14 12:55, Bernhard Voelker wrote:
On 05/14/2014 11:11 AM, Ruediger Meier wrote:
> IMO this is a general use case, worth to think about, see for example
> $ osc rbl -s Base:System coreutils-testsuite openSUSE_Factory i586 |\
> grep "must be run as root"
> setgid.sh: skipped test: must be run as root
> basic.sh: skipped test: must be run as root
> cp-a-selinux.sh: skipped test: must be run as root
> preserve-gid.sh: skipped test: must be run as root
> special-bits.sh: skipped test: must be run as root
> cp-mv-enotsup-xattr.sh: skipped test: must be run as root
> capability.sh: skipped test: must be run as root
I already asked that for coreutils some while ago (I'm a
co-maintainer). So if someone can point to a valid solution
- also for Factory - then I'd be grateful.
Didn't we have
Yes, but it needs also an exception on the server side for that package.
While I understand that root access is really needed for a lot of test
we want to ensure that build src.rpms do not damage a user system.
You cannot guarantee that with chroot anyways. After all a package
could buildrequire another one that does something nasty in %post as
root. So disallowing build as root just adds one level of
indirection but doesn't prevent any code from getting executed as
So the idea of having an extra package that configures the system in
a way that the abuild user is allowed to run stuff as root doesn't
sound too bad to me. The package could even be set up in a way that
it cannot be installed outside of build environments by means of
invalid requires, just like various *-mini packages do.
To avoid an extra build requirement on sudo a line like
auth sufficient pam_succeed_if.so use_uid user = abuild
in /etc/pam.d/su-l would do as well.