Discussion summary: Mock security

[Clark Williams]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike McLean wrote:
> Clark Williams wrote:
>> Michael E Brown wrote:
>>> On Wed, 2006-06-07 at 19:52 -0400, Mike McLean wrote:
>>>> At the moment, mock runs as a mortal user and uses mockhelper to
>>>> execute
>>>> a limited number of shell commands as root. What I'd like to do
>>>> is have
>>>> mock-helper (possibly renamed) run mock.py (and only mock.py) as
>>>> root,
>>>> letting mock.py take actions directly without having to filter back
>>>> through mockhelper.
>>>
>>> Ok, so this is the coolest proposed solution I have seen to this
>>> problem. I like it a lot.
>>
>>
>> How would we tell that the mock.py being run as root is the mock.py we
>> all know and love (and not one defiled by some black hat)?
>
> So mockhelper would continue to perform env sanitation, and I
> imagine it will have a hard-coded path for mock.py. I suppose if
> we're really paranoid we could store the sha1sum of mock.py at
> compile time and check it at runtime, but I think restricting to
> running mock.py from the standard location is sufficient.
You're probably right. I do kinda like the SHA1 idea, but then I'm
paranoid...

So we're saying that we turn this on it's head and let mock-helper
become mock-launcher?  It sanitizes the environment, does it's setuid
thing to root and then execs mock with an arg vector. Nice and
simple.  As you and Michael already pointed out, a hard-coded path to
mock will probably be sufficient for security.  We could actually name
this new executable "mock", put it in /usr/bin and have it launch
mock.py from a private location (not sure what the LFS directive is
there).

This is too straightforward. What are we missing?

Clark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEiDk1Hyuj/+TTEp0RAg2uAKDWe4L6SUKkFOtqTzw5m+14hw6kCQCfdnSn
Sf4HBADMx1MioZp8a9r+hXw=
=hQpU
-----END PGP SIGNATURE-----