On Oct 6, 2011, at 10:11 PM, Cameron Simpson wrote:
> Hmm. Glyph seemed to be arguing both ways - that everything should be
> tested as root, and also that root is not special. I have unease over the
> former and disagreement over the latter.
Your reply to Stephen suggests that we are actually in agreement, but just to
be clear: I completely understand that root is special in that the environment
allows for several behaviors which are not true for a normal user. Which is
precisely why it must be tested by a (properly sandboxed) buildbot :).
It's just not special in the sense that having root on a throwaway VM would
allow you to do non-throwaway things. The one thing one must always be careful
of, of course, is having your bandwidth chewed up for some nefarious purpose
(spam, phishing) but that sort of thing should be caught with other monitoring
tools.
Plus, there are lots of other impediments to getting Python's buildbots to do
something nasty. Only people with a commit bit should be able to actually push
changes that buildbot will see. So avoiding root is more about avoiding
mistakes than avoiding attacks. (After all, if this process isn't completely
secure, then neither is the Python that's shipped in various OSes: in which
case, game over _everywhere_.)
Finally, and unfortunately, there are so many privilege escalation exploits in
so many different daemons and applications that it's foolish to treat root as
too terribly special: unless you're a real hardening expert and you spend a lot
of effort keeping up to the second on security patches, the ability to execute
completely arbitrary untrusted code as a unprivileged local user on your system
can likely be converted with little effort into the ability to execute
arbitrary untrusted code as root. Although, ironically, buildbots are often
minimally configured and don't run any other services, so maybe these
environments are one of the few places where it actually does make a difference
:-).
(Which is precisely why all daemons everywhere should be written in Python.
Buffer overflows are dumb, it's 2011 already, come on. Use Twisted.)
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
