[opensuse-buildservice] Re: sudo inside worker

31 Oct 2015


      19.10.2015 10:53, Adrian Schröter пишет:
...
On Montag, 19. Oktober 2015, 10:50:11 CEST wrote Matwey V. Kornilov:
...
2015-10-19 10:01 GMT+03:00 Adrian Schröter :
...
On Samstag, 17. Oktober 2015, 12:36:21 CEST wrote Matwey V. Kornilov:
...
2015-10-17 12:31 GMT+03:00 Bernhard Voelker :
...
On 10/16/2015 07:20 PM, Matwey V. Kornilov wrote:
...
What is the recommended way to obtain root privileges when package is
being build?
A unit-test in bedup (btrfs deduplication tool) package needs to mount
image using loop device and this requires sudo.
+1
I've asked this already several times for the coreutils-testsuite which
also has some 'require_root' tests.
There doesn't seem to a be an official way yet, but you can search for
the "root4abuild" package which modifies the sudoers file (rudi_m pointed
that out) ... this is clearly for test purposes only.
But I'd also be interested in "the official way".
Nice, thanks. I think it is right approach.
There is not really an official way.
We do maintain a list of package names which are allowed to get root access
on the server side. But that is more for historic reasons.
The main reason behind this is that the resulting source rpm might be
dangerous. It can modify the system when a user is recompiling it.
So we like to avoid it as much as possible.
Sure, but every source rpm can be dangerous because it is executable
script by essence. rm -rf ~/* is dangerous enough and doesn't not
require root access. You are in safe only if you run rpmbuild in
container.
that is true, but it happened too often that packages did modify system
installations to avoid to fix the Makefile* stuff and friends.
Yes, this is not something we did for security reasons. We did it
to get cleaner src.rpm packages.
Please, look at

https://build.opensuse.org/request/show/341831


-- 
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org