On Dienstag, 31. Januar 2023, 06:35:57 CET Lynn Winebarger wrote:
Hi, I wrote some new source services so I could automate producing spec files for a multibuild of emacs 28+ using different compiler versions for the native-compilation feature, since only one version of libgccjit is allowed to be installed at a time. The source services are sed,pattern-service, and run-services. They are available on github under the MIT license: https://github.com/owinebar/obs-service-sed https://github.com/owinebar/obs-service-pattern-service https://github.com/owinebar/obs-service-run-services
They each have the possibility of being used to consume unlimited resources, so I have included system options to restrict the resources consumed using ulimit and (for the latter two) restricting the services that may be generated/invoked and (for pattern-service) output files that may not be generated, e.g. _services, so that recursive invocation is prevented. There is a detailed example in obs-service-pattern-service showing how the 3 can be used together to produce the emacs multibuild specs and file. I wrote a sed script that takes a sed script augmented by the project conf keywords Substitute:, Substitute=: (equivalent to substitute with the name ending in =), and Ignore to transform spec files. I still need to write malicious test cases to verify the restrictions actually work, e.g. a sed script that accumulates an infinite string in the hold space or just loops forever. I'd like these installed on the build server so a webhook trigger can be used to generate the multibuild automatically.
A prerequirement of that would be that a security review of these service has been done. The policy here is that input (sources) should not allow to run random executions (eg. not call a Makefile from the soures) to keep the service safe on a workstation.
Obviously these could be done manually in a shell script, but trying to limit the malicious possibilities of running arbitrary shell scripts is not something I have time for. sed is an inherently restricted language (when run with --sandbox) which is much more amenable to being limited.
esp. this part sounds a bit dangerous to me.
However, if you think it is safe, please request a security review
via bugzilla for them. Please assign it to the security-team@suse.de
thanks
adrian
--
Adrian Schroeter