Mail archive
alpine-devel

Re: [alpine-devel] a few abuild oddities

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Fri, 6 Dec 2013 11:41:50 +0100

On Tue, 3 Dec 2013 22:47:11 -0500
Jim Pryor <dubiousjim_at_gmail.com> wrote:

> On Tue, Dec 03, 2013 at 04:34:09PM +0100, Natanael Copa wrote:
> > > Is it possible to use abuild for the full range of activities without
> > > being in the abuild group? Do we just prompt with sudo or su in those
> > > cases when needed? In that case the security-conscious solution will
> > > just be don't add your users to the "abuild" group. The costs and
> > > benefits of this would just need to be more clearly documented.
> >
> > You need either be in abuild group or have sudo permissions to use
> > abuild -r for letting abuild install the deps for you.
>
> Ok, but they don't have to be permissions to use "sudo abuild -r ..."
> WITHOUT PASSWORD, correct? That's the behavior I expect.

I don't understand the question. Sorry.

abuild will slap you in the face if you run abuild as root (sudo abuild)

The point was that you on buildservers don't need to add user to
sudoers (with NOPASSWD). Build servers cannot prompt for passwords.

> >
> > To use sudo instead of abuild-apk you can set SUDO_APK="sudo apk"
> > in /etc/abuild.conf (or just export SUDO_APK="sudo apk").
>
> Great, thanks.

The problem is actually worse than I originally thought. abuild also
needs to create users and groups (for pkgusers/pkggroups). This means
that if you are in 'abuild' group you can create any user or group and
add any user to any group.

We only need the user within fakeroot so you from package() function
can set permissions of files and dirs within the package.

To solve this, we could either create fake users for fakeroot (so
fakeroot belives that user exists) or we would need to have a tar-fork
that could set ownership on given files when creating the archive. That
way, the user don't need exist on the building system.


> > You can still build packages with abuild without needing sudo but then
> > all the dependencies needs to be installed already:
> > SUDO_APK=apk abuild
> >
> > The motivation behind abuild group was to make it convenient to set up
> > a build server. Might be we want change the default back to sudo.


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri Dec 06 2013 - 11:41:50 UTC