Mail archive
alpine-devel

Re: [alpine-devel] a few abuild oddities

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Fri, 13 Dec 2013 16:23:24 +0100

On Tue, 10 Dec 2013 22:13:45 -0500
Jim Pryor <dubiousjim_at_gmail.com> wrote:

> On Fri, Dec 6, 2013, at 05:41 AM, Natanael Copa wrote:
> > > > > Is it possible to use abuild for the full range of activities without
> > > > > being in the abuild group? Do we just prompt with sudo or su in those
> > > > > cases when needed? In that case the security-conscious solution will
> > > > > just be don't add your users to the "abuild" group. The costs and
> > > > > benefits of this would just need to be more clearly documented.
> > > >
> > > > You need either be in abuild group or have sudo permissions to use
> > > > abuild -r for letting abuild install the deps for you.
> > >
> > > Ok, but they don't have to be permissions to use "sudo abuild -r ..."
> > > WITHOUT PASSWORD, correct? That's the behavior I expect.
> >
> > I don't understand the question. Sorry.
> >
> > abuild will slap you in the face if you run abuild as root (sudo abuild)
> >
> > The point was that you on buildservers don't need to add user to
> > sudoers (with NOPASSWD). Build servers cannot prompt for passwords.
>
> Sorry I wasn't clear. If I'm understanding right, here is how things
> stand:
>
> One can't run abuild as root, or using "sudo abuild" (unless one
> supplies the -F switch?).

Correct.
>
> One option is to add the current user to the abuild group (log out and
> log back in as needed). Then abuild can do everything it needs to do,
> without prompting for any passwords.

Correct. This would be equivalent to giving the user NOPASSWD sudo
permissions for running apk, adduser and addgroup. (In practice it
means full root privileges)
 
> Another option is to do this:
>
> > > > To use sudo instead of abuild-apk you can set SUDO_APK="sudo apk"
> > > > in /etc/abuild.conf (or just export SUDO_APK="sudo apk").
>
> Then the user in question needs to have permissions to run the commands
> abuilds wants to run in the /etc/sudoers file. If we're talking about a
> build server, then those have to be NOPASSWD permissions. But if it's an
> interactive machine, then the NOPASSWD permissions aren't needed, right?

Correct.

> Abuild will just invoke whatever you gave it as a SUDO_APK, and if that
> in turn wants to demand passwords from the user, so be it. No problem
> there, correct?

As long as the APKBUILD does not set pkgusers or pkggroups it should be
ok. I think you then have to set:

ADDUSER="sudo adduser"
ADDGROUP="sudo addgroup"

-nc


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri Dec 13 2013 - 16:23:24 UTC