RFC: new mock: strategy, selinux, etc.
Clark Williams
williams at redhat.com
Fri Jan 5 16:52:04 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Axel Thimm wrote:
> In a nutshell: you now carry much more unlimited root power throughout
> all of mock's invocation cycle in comparison to a confined set of
> priviledges that the helper was giving.
Good point. I still think it's easier to audit python code than C code,
but you're talking 500 lines of C versus 1000 lines of python. So, I may
just reconsider this change.
One of the reasons I liked moving to a setuid/setgid launcher was that
we could move the process into the mock group and fix a bunch of chroot
sharing problems with appropriate group permissions. Oh, and we actually
kick off the python process in a separate namespace, which means we
won't dirty up the mount table if for some reason we exit unexpectedly.
If we just made the launcher setgid:mock and kept mock-helper for
rootiness things, would that still trigger your security alarms? Hmmm,
now that I think about it, we probably have to be root to create a new
namespace, so the launcher might have to stay setuid:root and drop
privileges before exec'ing python.
Thoughts?
Clark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFFnoI0Hyuj/+TTEp0RAgs+AJ4wD3jbqZsb425aUEZ0O91phHWFygCeI+hQ
2V64J/BN6VINwdJSdFFfLDU=
=vqnq
-----END PGP SIGNATURE-----
More information about the Fedora-buildsys-list
mailing list