Discussion summary: Mock security
Michael_E_Brown at Dell.com
Michael_E_Brown at Dell.com
Thu Jun 8 14:41:12 UTC 2006
> -----Original Message-----
> From: fedora-buildsys-list-bounces at redhat.com
> [mailto:fedora-buildsys-list-bounces at redhat.com] On Behalf Of
> Mike McLean
> Sent: Wednesday, June 07, 2006 9:04 PM
> To: Discussion of Fedora build system
> Subject: Re: Discussion summary: Mock security
>
> Clark Williams wrote:
> >
> >
> > How would we tell that the mock.py being run as root is the
> mock.py we
> > all know and love (and not one defiled by some black hat)?
>
> So mockhelper would continue to perform env sanitation, and I
> imagine it will have a hard-coded path for mock.py. I suppose
> if we're really paranoid we could store the sha1sum of
> mock.py at compile time and check it at runtime, but I think
> restricting to running mock.py from the standard location is
> sufficient.
Hardcoded /usr/bin/mock.py is sufficient. If a black hat has somehow
manged to subvert /usr/bin/mock.py, game over already.
There are no show-stoppers that I see, but there are a few changes to be
made for security.
The --configdir option will need to be rethought a bit. Considering that
the config files are executable code, we will have to change the config
to separate 'trusted' from 'untrusted' configs where we do not execute
code from untrusted sources.
The --resultdir and --statedir options will have to be changed to drop
privileges before creating/writing to them, to disallow somebody from
stomping system paths or using symlink attacks.
--
Michael
More information about the Fedora-buildsys-list
mailing list