Mailinglist Archive: opensuse-buildservice (166 mails)

< Previous Next >
Re: [opensuse-buildservice] run commands from spec file as root
# mail@xxxxxxxxxxxxxxxxxxx / 2014-05-14 22:51:56 +0200:
On 05/14/2014 10:33 PM, Marcus Meissner wrote:
We tried very hard not to run stuff as root over years, making
it too easy now to revert this, is probably bad.

That's exactly why I don't like a hack but an all-accepted
solution. E.g. a whitelist of complete command line strings
which are permitted to run as root in an OBS chroot. And a
macro %sudo which checks the given command against the whitelist
before chaning to root. By that, the security and quality team
would have fine-grained control over what is permitted.

E.g. for coreutils-testsuite, only the command string
'env PATH="$PATH" NON_ROOT_USERNAME=$USER make -k check-root'
would need to be added. The spec file could define it like
%sudo env PATH="$PATH" NON_ROOT_USERNAME=$USER make -k check-root
and that macro could verify that exactly that string is permitted.

limiting the privileged commandline to an invocation of a third-party
program does little to improve security. perhaps if the root mode could
be limited to vm builds (no chroots)?

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >