On 07Oct2011 06:18, Glyph <gl...@twistedmatrix.com> wrote: | On Oct 7, 2011, at 5:10 AM, Stephen J. Turnbull wrote: | | > The principle here is "ran as root" without further explanation is a | > litmus test for "not bothering about security", even today. It's | > worth asking for explanation, or at least a comment that "all the | > buildbot contributors I've talked to have put a lot of effort into | > security configuration". | | This is a valid point. I think that Cameron and I may have | had significantly different assumptions about the environment being | discussed here. I may have brought some assumptions about the build | farm here that don't actually apply to the way Python does it.
Likewise. I state now that I have no actual knowledge of the practices in the build farm(s). | To sum up what I believe is now the consensus from this thread: | | Anyone setting up a buildslave should take care to invoke the build in | an environment where an out-of-control buildbot, potentially executing | arbitrarily horrible and/or malicious code, should not damage anything. | Builders should always be isolated from valuable resources, although | the specific mechanism of isolation may differ. A virtual machine is a | good default, but may not be sufficient; other tools for cutting of the | builder from the outside world would be chroot jails, solaris zones, etc. | | Code runs differently as privileged vs. unprivileged users. Therefore | builders should be set up in both configurations, running the full test | suite, to ensure that all code runs as expected in both configurations. | Some tests, as the start of this thread indicates, must have some | special logic to make sure they do or do not run, or run differently, | in privileged vs. unprivileged configurations, but generally speaking | most things should work in both places. | | Access to root my provide access to slightly surprising resources, | even within a VM (such as the ability to send spoofed IP packets, | change the MAC address of even virtual ethernet cards, etc), and | administrators should be aware that this is the case when configuring | the host environment for a run-as-root builder. You don't want to end | up with a compromised test VM that can snoop on your network. | | Have I left anything out? :-) I think that the build and the tests should be different security scopes/zones/levels: different users or different VMs. Andrew's suggestion of a VM-for-tests sounds especially good. And that I think the as-root tests suite shouldn't run unless the not-root test suite passes. Cheers, -- Cameron Simpson <c...@zip.com.au> DoD#743 http://www.cskk.ezoshosting.com/cs/ It is not true that life is one damn thing after another -- it's one damn thing over and over. - Edna St. Vincent Millay _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
