Discussion summary: Mock security
Clark Williams
williams at redhat.com
Thu Jun 8 01:16:47 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael E Brown wrote:
> On Wed, 2006-06-07 at 19:52 -0400, Mike McLean wrote:
>> Michael_E_Brown at Dell.com wrote:
>>> -- Should we allow untrusted users access to the 'mock' group?
>> This has been a concern of mine as well. However, I think the solution
>> is not to harden mockhelper, but to change the role of mockhelper.
>>
>> At the moment, mock runs as a mortal user and uses mockhelper to execute
>> a limited number of shell commands as root. What I'd like to do is have
>> mock-helper (possibly renamed) run mock.py (and only mock.py) as root,
>> letting mock.py take actions directly without having to filter back
>> through mockhelper.
>
> Ok, so this is the coolest proposed solution I have seen to this
> problem. I like it a lot.
How would we tell that the mock.py being run as root is the mock.py we
all know and love (and not one defiled by some black hat)?
Clark "not a security guru" Williams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEh3p+Hyuj/+TTEp0RAoF0AJ0b0DM1jE3ecx9Fqt7bDr5gMl0Z6wCgwgB0
cD61rpHx/+yuQ8yxVBdmC8Y=
=henS
-----END PGP SIGNATURE-----
More information about the Fedora-buildsys-list
mailing list