Re: [nant-dev] NUnit security
It is. But you do not run builded assemblies during builds. Only the test code is run (and through it the real code) Martin - Original Message - From: Philip Nelson [EMAIL PROTECTED] To: Martin Aliger [EMAIL PROTECTED]; !nant [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 5:25 PM Subject: Re: [nant-dev] NUnit security How is this more risky than running the code you are actually testing? Isn't the real code and the test code written by the same group? --- Martin Aliger [EMAIL PROTECTED] wrote: Hi all, I found serious security problem. My build server, which use NAnt internally, runs as windows service (as all build servers I know runs). This service runs as priviliged user. Nothing wrong with that unless you run test-cases with NUnit. It runs user code, which could contain maligious tests... It is not big problem for us, since I trust my coleagues, but it could be problem in some scenarios. What about limit somehow permitions in NUnitTask? Or is something done in NUnit itself? Regards, Martin --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ nant-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/nant-developers --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ nant-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/nant-developers
RE: [nant-dev] NUnit security
Title: [nant-dev] NUnit security Hi Martin, If you have no special need for your service to run under a privileged account, let it then run with aless privilegedaccount. Otherwise you can use the built-in .Net runtime security features: Let your nant script copy everithing you need to a special folder (incl Nunit assemblies). configure the .Net runtime on the build server so that everithing that is runned from this folder is granted less privileges. If your running W*S go to the administrative tools, .net Framework Configuration Runtime Security policyMachine code groups all Code My_computer_zone make a new code group who's condition types is url and use "file://some directory/*.*" the choose the permission set you want to use. (this can be done via the cmd line caspol) Hope this helps. Yves -Oorspronkelijk bericht- Van: Martin Aliger [mailto:[EMAIL PROTECTED] Verzonden: wo 9/10/2003 4:43 PM Aan: ! nant CC: Onderwerp: [nant-dev] NUnit security Hi all,I found serious security problem. My build server, which use NAntinternally, runs as windows service (as all build servers I know runs). Thisservice runs as priviliged user. Nothing wrong with that unless you runtest-cases with NUnit. It runs user code, which could contain maligioustests... It is not big problem for us, since I trust mycoleagues, but it could be problem in some scenarios.What about limit somehow permitions in NUnitTask? Or is something done inNUnit itself?Regards,Martin---This sf.net email is sponsored by:ThinkGeekWelcome to geek heaven.http://thinkgeek.com/sf___nant-developers mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/nant-developers
Re: [nant-dev] NUnit security
Title: [nant-dev] NUnit security Seems ok. It is not problem for me - just a general thought. Maybe we could add noteabout it into doc for NUnit{1,2} tasks. Could be problem for projects like Draco.NET or CruiseControl.NET which use Nant internally. The rights should be adjustablefrom task attributes in future. Some tests could need more rights than others and only author of build file knows. Martin - Original Message - From: Lorphelin Yves To: Martin Aliger ; ! nant Sent: Wednesday, September 10, 2003 6:11 PM Subject: RE: [nant-dev] NUnit security Hi Martin, If you have no special need for your service to run under a privileged account, let it then run with aless privilegedaccount. Otherwise you can use the built-in .Net runtime security features: Let your nant script copy everithing you need to a special folder (incl Nunit assemblies). configure the .Net runtime on the build server so that everithing that is runned from this folder is granted less privileges. If your running W*S go to the administrative tools, .net Framework Configuration Runtime Security policyMachine code groups all Code My_computer_zone make a new code group who's condition types is url and use "file://some directory/*.*" the choose the permission set you want to use. (this can be done via the cmd line caspol) Hope this helps. Yves -Oorspronkelijk bericht- Van: Martin Aliger [mailto:[EMAIL PROTECTED] Verzonden: wo 9/10/2003 4:43 PM Aan: ! nant CC: Onderwerp: [nant-dev] NUnit security Hi all,I found serious security problem. My build server, which use NAntinternally, runs as windows service (as all build servers I know runs). Thisservice runs as priviliged user. Nothing wrong with that unless you runtest-cases with NUnit. It runs user code, which could contain maligioustests... It is not big problem for us, since I trust mycoleagues, but it could be problem in some scenarios.What about limit somehow permitions in NUnitTask? Or is something done inNUnit itself?Regards,Martin---This sf.net email is sponsored by:ThinkGeekWelcome to geek heaven.http://thinkgeek.com/sf___nant-developers mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/nant-developers
Re: [nant-dev] NUnit security
Especially those people using Draco.NET to build Sourceforge projects. :) Martin Aliger wrote: Seems ok. It is not problem for me - just a general thought. Maybe we could add note about it into doc for NUnit{1,2} tasks. Could be problem for projects like Draco.NET or CruiseControl.NET which use Nant internally. The rights should be adjustable from task attributes in future. Some tests could need more rights than others and only author of build file knows. Martin - Original Message - *From:* Lorphelin Yves mailto:[EMAIL PROTECTED] *To:* Martin Aliger mailto:[EMAIL PROTECTED] ; ! nant mailto:[EMAIL PROTECTED] *Sent:* Wednesday, September 10, 2003 6:11 PM *Subject:* RE: [nant-dev] NUnit security Hi Martin, If you have no special need for your service to run under a privileged account, let it then run with a less privileged account. Otherwise you can use the built-in .Net runtime security features: Let your nant script copy everithing you need to a special folder (incl Nunit assemblies). configure the .Net runtime on the build server so that everithing that is runned from this folder is granted less privileges. If your running W*S go to the administrative tools, .net Framework Configuration Runtime Security policyMachine code groups all Code My_computer_zone make a new code group who's condition types is url and use file://some directory/*.* the choose the permission set you want to use. (this can be done via the cmd line caspol) Hope this helps. Yves -Oorspronkelijk bericht- *Van:* Martin Aliger [mailto:[EMAIL PROTECTED] *Verzonden:* wo 9/10/2003 4:43 PM *Aan:* ! nant *CC:* *Onderwerp:* [nant-dev] NUnit security Hi all, I found serious security problem. My build server, which use NAnt internally, runs as windows service (as all build servers I know runs). This service runs as priviliged user. Nothing wrong with that unless you run test-cases with NUnit. It runs user code, which could contain maligious tests... It is not big problem for us, since I trust my coleagues, but it could be problem in some scenarios. What about limit somehow permitions in NUnitTask? Or is something done in NUnit itself? Regards, Martin --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ nant-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/nant-developers --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ nant-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/nant-developers