-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/2010 01:03 PM, James Ralston wrote: > Riddle me this. > > We want to provide a server for developers within our organization to > build RPM packages for use within our organization. > > These are our requirements: > > 1. The developers must not be able to leverage the package build > process to obtain root access on the server. > > 2. If a package has a build dependency that is not explicitly > specified, the build must fail. > > 3. If two developers are building packages simultaneously, their > builds must not conflict. > > The only way satisfy requirements #2 and #3 is to use a chroot'ed > build environment. > > mock(1) uses a chroot'ed build environment, but mock fails requirement > #1, as anyone in the "mock" group can trivially root the box. > > I think that koji would satisfy all three requirements, because koji > uses mock to build, but doesn't allow developers to interface with > mock directly. But setting up a koji infrastructure seems like a > highly non-trivial task. > > Is there really no way to meet all three of these requirements without > going the full-blown koji route? > We have been slowly looking into an SELinux solution for this. Just using koji/mock is still dangerous, since the environment is running as root and the rpm could contain stuff to attack the system. (Break out of the choot, attack other mock systems. Attack the network etc.) To make this secure, you really need a sandboxed mock. Where the mock environment runs with a context of mock_t and is isolated from other mock environments using MCS separation. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CMFAACgkQrlYvE4MpobMJXACfawU8kCL9/eWIJgk46Rrka2FZ uGEAoOFLc8aDDLGGV0ldPI3cDNP79SqS =ZCfg -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
