Mailinglist Archive: opensuse-buildservice (166 mails)

< Previous Next >
Re: [opensuse-buildservice] run commands from spec file as root
On Thursday 15 May 2014, Claudio Freire wrote:
On Wed, May 14, 2014 at 6:56 PM, Bernhard Voelker

<mail@xxxxxxxxxxxxxxxxxxx> wrote:
On 05/14/2014 11:18 PM, Roman Neuhauser wrote:
limiting the privileged commandline to an invocation of a
third-party program does little to improve security.

And of course, such a whitelist must include the package name,
i.e., another package could not use the same string to circumvent
the restriction (unless it has registered the same string for
%sudo, too).

And I'd include sha-something of the source tarball. Just an idea.

I don't think we have a security problem on OBS. It's just about
reliability. If for example a package silently configures /sys, /etc
and /usr/lib to be able to compile and run then it might not run
correctly after installed on arbitrary target system.

I'd say it would be enough to allow sudo for the %check section only.

We only have to protect people who want to rebuild src rpms locally and
do not want to crash their systems. But that's easy.

cu,
Rudi
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >