Mock and consolehelper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have noticed that mock in Rawhide has been changed to drop the SUID helper, 
instead consolehelper is used to run the entire mock as root. IMHO, this is a 
regression:
* It now means you have to know the root password to run mock. Before, it was 
possible to give out mock access and only that simply by making the user a 
member of the mockbuild group. Now the only way to do that is to allow running 
all of mock as root, which probably opens up several ways to get full root 
access from there.
* It means mock has to be run interactively. What are the implications of this 
on the builders? Will they have to install all of mock SUID root, or set up 
consolehelper in a way which effectively does the same?
* It reduces security, as instead of a small helper doing only a few controlled 
operations, you now run all of mock as root. Sure, it's Python, so buffer 
overflows probably can't happen, but still, trigger any bug in mock with a 
trojaned SRPM and you have root.

        Kevin Kofler

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux