Mailinglist Archive: opensuse-buildservice (96 mails)

< Previous Next >
Re: [opensuse-buildservice] sudo inside worker
  • From: "Matwey V. Kornilov" <matwey.kornilov@xxxxxxxxx>
  • Date: Mon, 19 Oct 2015 11:31:45 +0300
  • Message-id: <>
2015-10-19 10:53 GMT+03:00 Adrian Schröter <adrian@xxxxxxx>:
On Montag, 19. Oktober 2015, 10:50:11 CEST wrote Matwey V. Kornilov:
2015-10-19 10:01 GMT+03:00 Adrian Schröter <adrian@xxxxxxx>:
On Samstag, 17. Oktober 2015, 12:36:21 CEST wrote Matwey V. Kornilov:
2015-10-17 12:31 GMT+03:00 Bernhard Voelker <mail@xxxxxxxxxxxxxxxxxxx>:
On 10/16/2015 07:20 PM, Matwey V. Kornilov wrote:
What is the recommended way to obtain root privileges when package is
being build?
A unit-test in bedup (btrfs deduplication tool) package needs to mount
image using loop device and this requires sudo.

I've asked this already several times for the coreutils-testsuite which
also has some 'require_root' tests.
There doesn't seem to a be an official way yet, but you can search for
the "root4abuild" package which modifies the sudoers file (rudi_m
that out) ... this is clearly for test purposes only.
But I'd also be interested in "the official way".

Nice, thanks. I think it is right approach.

There is not really an official way.

We do maintain a list of package names which are allowed to get root access
on the server side. But that is more for historic reasons.

The main reason behind this is that the resulting source rpm might be
dangerous. It can modify the system when a user is recompiling it.
So we like to avoid it as much as possible.

Sure, but every source rpm can be dangerous because it is executable
script by essence. rm -rf ~/* is dangerous enough and doesn't not
require root access. You are in safe only if you run rpmbuild in

that is true, but it happened too often that packages did modify system
installations to avoid to fix the Makefile* stuff and friends.

Yes, this is not something we did for security reasons. We did it
to get cleaner src.rpm packages.

Then I see the following benefits of using sudo:

1. It is explicit in spec-file. Only commands starting with sudo require root.
2. It requires explicit action from user either in form of entering
password or configuring sudo.


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nürnberg)

Maxfeldstraße 5
90409 Nürnberg

With best regards,
Matwey V. Kornilov
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >