Re: [nant-dev] NUnit security
It is. But you do not run builded assemblies during builds. Only the test code is run (and through it the real code) Martin - Original Message - From: Philip Nelson [EMAIL PROTECTED] To: Martin Aliger [EMAIL PROTECTED]; !nant [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 5:25 PM Subject: Re: [nant-dev] NUnit security How is this more risky than running the code you are actually testing? Isn't the real code and the test code written by the same group? --- Martin Aliger [EMAIL PROTECTED] wrote: Hi all, I found serious security problem. My build server, which use NAnt internally, runs as windows service (as all build servers I know runs). This service runs as priviliged user. Nothing wrong with that unless you run test-cases with NUnit. It runs user code, which could contain maligious tests... It is not big problem for us, since I trust my coleagues, but it could be problem in some scenarios. What about limit somehow permitions in NUnitTask? Or is something done in NUnit itself? Regards, Martin --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ nant-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/nant-developers --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ nant-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/nant-developers
RE: [nant-dev] NUnit security
Title: [nant-dev] NUnit security Hi Martin, If you have no special need for your service to run under a privileged account, let it then run with aless privilegedaccount. Otherwise you can use the built-in .Net runtime security features: Let your nant script copy everithing you need to a special folder (incl Nunit assemblies). configure the .Net runtime on the build server so that everithing that is runned from this folder is granted less privileges. If your running W*S go to the administrative tools, .net Framework Configuration Runtime Security policyMachine code groups all Code My_computer_zone make a new code group who's condition types is url and use "file://some directory/*.*" the choose the permission set you want to use. (this can be done via the cmd line caspol) Hope this helps. Yves -Oorspronkelijk bericht- Van: Martin Aliger [mailto:[EMAIL PROTECTED] Verzonden: wo 9/10/2003 4:43 PM Aan: ! nant CC: Onderwerp: [nant-dev] NUnit security Hi all,I found serious security problem. My build server, which use NAntinternally, runs as windows service (as all build servers I know runs). Thisservice runs as priviliged user. Nothing wrong with that unless you runtest-cases with NUnit. It runs user code, which could contain maligioustests... It is not big problem for us, since I trust mycoleagues, but it could be problem in some scenarios.What about limit somehow permitions in NUnitTask? Or is something done inNUnit itself?Regards,Martin---This sf.net email is sponsored by:ThinkGeekWelcome to geek heaven.http://thinkgeek.com/sf___nant-developers mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/nant-developers
Re: [nant-dev] NUnit security
Title: [nant-dev] NUnit security
Seems ok.
It is not problem for me - just a general
thought.
Maybe we could add noteabout it into
doc for NUnit{1,2} tasks. Could be problem for projects like Draco.NET or
CruiseControl.NET which use Nant internally. The rights should be adjustablefrom task
attributes in future. Some tests could need more rights than others and only
author of build file knows.
Martin
- Original Message -
From:
Lorphelin Yves
To: Martin Aliger ; ! nant
Sent: Wednesday, September 10, 2003 6:11
PM
Subject: RE: [nant-dev] NUnit
security
Hi Martin,
If you have no special need for your service to run under a privileged
account, let it then run with aless privilegedaccount.
Otherwise you can use the built-in .Net runtime security
features:
Let your nant script copy everithing you need to a special folder (incl
Nunit assemblies).
configure the .Net runtime on the build server so that everithing
that is runned from this folder is granted less privileges.
If your running W*S go to the administrative tools, .net Framework
Configuration
Runtime Security policyMachine code groups all Code
My_computer_zone make a new code group who's
condition types is url and use "file://some directory/*.*" the choose the
permission set you want to use. (this can be done via the cmd line
caspol)
Hope this helps.
Yves
-Oorspronkelijk bericht- Van: Martin
Aliger [mailto:[EMAIL PROTECTED] Verzonden: wo 9/10/2003
4:43 PM Aan: ! nant CC: Onderwerp:
[nant-dev] NUnit security
Hi all,I found serious security problem. My build
server, which use NAntinternally, runs as windows service (as all build
servers I know runs). Thisservice runs as priviliged user. Nothing wrong
with that unless you runtest-cases with NUnit. It runs user code, which
could contain maligioustests... It is not big problem for us, since I
trust mycoleagues, but it could be problem in some
scenarios.What about limit somehow permitions in NUnitTask? Or is
something done inNUnit
itself?Regards,Martin---This
sf.net email is sponsored by:ThinkGeekWelcome to geek heaven.http://thinkgeek.com/sf___nant-developers
mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/nant-developers
Re: [nant-dev] NUnit security
Especially those people using Draco.NET to build Sourceforge projects. :)
Martin Aliger wrote:
Seems ok.
It is not problem for me - just a general thought.
Maybe we could add note about it into doc for NUnit{1,2} tasks. Could
be problem for projects like Draco.NET or CruiseControl.NET which use
Nant internally. The rights should be adjustable from task attributes
in future. Some tests could need more rights than others and only
author of build file knows.
Martin
- Original Message -
*From:* Lorphelin Yves mailto:[EMAIL PROTECTED]
*To:* Martin Aliger mailto:[EMAIL PROTECTED] ; ! nant
mailto:[EMAIL PROTECTED]
*Sent:* Wednesday, September 10, 2003 6:11 PM
*Subject:* RE: [nant-dev] NUnit security
Hi Martin,
If you have no special need for your service to run under a
privileged account, let it then run with a less privileged account.
Otherwise you can use the built-in .Net runtime security features:
Let your nant script copy everithing you need to a special folder
(incl Nunit assemblies).
configure the .Net runtime on the build server so that
everithing that is runned from this folder is granted less privileges.
If your running W*S go to the administrative tools, .net Framework
Configuration
Runtime Security policyMachine code groups all Code
My_computer_zone make a new code group who's
condition types is url and use file://some directory/*.* the
choose the permission set you want to use. (this can be done via
the cmd line caspol)
Hope this helps.
Yves
-Oorspronkelijk bericht-
*Van:* Martin Aliger [mailto:[EMAIL PROTECTED]
*Verzonden:* wo 9/10/2003 4:43 PM
*Aan:* ! nant
*CC:*
*Onderwerp:* [nant-dev] NUnit security
Hi all,
I found serious security problem. My build server, which use NAnt
internally, runs as windows service (as all build servers I
know runs). This
service runs as priviliged user. Nothing wrong with that
unless you run
test-cases with NUnit. It runs user code, which could contain
maligious
tests... It is not big problem for us, since I trust my
coleagues, but it could be problem in some scenarios.
What about limit somehow permitions in NUnitTask? Or is
something done in
NUnit itself?
Regards,
Martin
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
nant-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/nant-developers
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
nant-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/nant-developers
