Mailinglist Archive: opensuse-buildservice (166 mails)

< Previous Next >
Re: [opensuse-buildservice] run commands from spec file as root
  • From: Darin Perusich <darin@xxxxxxxxxx>
  • Date: Wed, 14 May 2014 12:35:41 -0400
  • Message-id: <CADaviKtKEqgRnv5hrHoj5Y6s70LeMQn+q5nnixUb9Ea=ps1gzQ@mail.gmail.com>
On Wed, May 14, 2014 at 11:57 AM, Ludwig Nussel <ludwig.nussel@xxxxxxx> wrote:
Adrian Schröter wrote:

On Mittwoch, 14. Mai 2014, 13:05:36 wrote Jan Engelhardt:

On Wednesday 2014-05-14 12:55, Bernhard Voelker wrote:

On 05/14/2014 11:11 AM, Ruediger Meier wrote:

IMO this is a general use case, worth to think about, see for example
$ osc rbl -s Base:System coreutils-testsuite openSUSE_Factory i586 |\
grep "must be run as root"
setgid.sh: skipped test: must be run as root
basic.sh: skipped test: must be run as root
cp-a-selinux.sh: skipped test: must be run as root
preserve-gid.sh: skipped test: must be run as root
special-bits.sh: skipped test: must be run as root
cp-mv-enotsup-xattr.sh: skipped test: must be run as root
capability.sh: skipped test: must be run as root
[...]


I already asked that for coreutils some while ago (I'm a
co-maintainer). So if someone can point to a valid solution
- also for Factory - then I'd be grateful.


Didn't we have

#!rootneededforbuild

or so?


Yes, but it needs also an exception on the server side for that package.

While I understand that root access is really needed for a lot of test
cases,
we want to ensure that build src.rpms do not damage a user system.


You cannot guarantee that with chroot anyways. After all a package
could buildrequire another one that does something nasty in %post as
root. So disallowing build as root just adds one level of
indirection but doesn't prevent any code from getting executed as
root.
So the idea of having an extra package that configures the system in
a way that the abuild user is allowed to run stuff as root doesn't
sound too bad to me. The package could even be set up in a way that
it cannot be installed outside of build environments by means of
invalid requires, just like various *-mini packages do.
To avoid an extra build requirement on sudo a line like

auth sufficient pam_succeed_if.so use_uid user = abuild

in /etc/pam.d/su-l would do as well.


When I was packaging for OpenCSW (Solaris) we used Debians 'fakeroot'
to work around running as non-root users. While it's not currently
available it might be an option.
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >