[alpine-devel] Re: installing build deps as non-root (WAS: 3.3 proposal: reduce number of SUID binaries as much as possible)
On Thu, May 28, 2015 at 1:18 AM, Natanael Copa <ncopa_at_alpinelinux.org> wrote:
> On Tue, 26 May 2015 04:32:01 -0500
> William Pitcock <nenolod_at_dereferenced.org> wrote:
>> I would like to see a general reduction of SUID binaries where
>> possible. For example, a lot of APKBUILDs have options=suid when
>> there's probably no real reason for it.
> This reminds me of a problem I have been thinking of.
> When creating/maintaining package we need temporary install the build
> time dependencies and when build is done we need uninstall them.
> Is there a good way to do this without relying on suid? And we
> definitively don't want run the entire build as root.
> We probably want build the packages in a chroot too in the future.
> Doing chroot(2) also requires root permission.
> We currently have a magic group 'abuild'. If you are in this group you
> are allowed to install packages. This means, you are effectively root
> if you are in this group. Are there better ways to do it?
> We could maybe tighten it up and forbid --allow-untrusted. Then you
> need both be in the group and install the signing key in /etc/apk/keys
Ideally, I think what we should do is perhaps use lightweight
containers for build environments. And then what you do is bind-mount
the aports tree(s) in the right places in the container. Then you do
the build as root inside the container instead of bother with
fakeroot, cowdancer, etc.
I'm going to probably be busy with this FOSS raid monitoring stuff
this summer so I probably won't have much time to pursue this, but
it's just an idea of how it could work.
Received on Fri May 29 2015 - 01:49:17 GMT