X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from dal-a2.localdomain (unknown [74.117.189.115]) by mail.alpinelinux.org (Postfix) with ESMTP id 6741BDC00A2 for ; Fri, 6 Dec 2013 10:41:54 +0000 (UTC) Received: from ncopa-desktop.alpinelinux.org (3.203.202.84.customer.cdi.no [84.202.203.3]) (using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ncopa@tanael.org) by dal-a2.localdomain (Postfix) with ESMTPSA id C57E5BC3E13; Fri, 6 Dec 2013 10:41:53 +0000 (UTC) Date: Fri, 6 Dec 2013 11:41:50 +0100 From: Natanael Copa To: Jim Pryor Cc: Alpine Subject: Re: [alpine-devel] a few abuild oddities Message-ID: <20131206114150.2257d596@ncopa-desktop.alpinelinux.org> In-Reply-To: <20131204034711.GL29236@zen> References: <20131201174554.GB29236@zen> <20131201235659.GD29236@zen> <20131202142914.4438af81@ncopa-desktop.alpinelinux.org> <1386000265.25324.54500989.5FF25FA8@webmail.messagingengine.com> <20131203163409.2bfaef86@ncopa-desktop.alpinelinux.org> <20131204034711.GL29236@zen> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-alpine-linux-uclibc) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 3 Dec 2013 22:47:11 -0500 Jim Pryor wrote: > On Tue, Dec 03, 2013 at 04:34:09PM +0100, Natanael Copa wrote: > > > Is it possible to use abuild for the full range of activities without > > > being in the abuild group? Do we just prompt with sudo or su in those > > > cases when needed? In that case the security-conscious solution will > > > just be don't add your users to the "abuild" group. The costs and > > > benefits of this would just need to be more clearly documented. > > > > You need either be in abuild group or have sudo permissions to use > > abuild -r for letting abuild install the deps for you. > > Ok, but they don't have to be permissions to use "sudo abuild -r ..." > WITHOUT PASSWORD, correct? That's the behavior I expect. I don't understand the question. Sorry. abuild will slap you in the face if you run abuild as root (sudo abuild) The point was that you on buildservers don't need to add user to sudoers (with NOPASSWD). Build servers cannot prompt for passwords. > > > > To use sudo instead of abuild-apk you can set SUDO_APK="sudo apk" > > in /etc/abuild.conf (or just export SUDO_APK="sudo apk"). > > Great, thanks. The problem is actually worse than I originally thought. abuild also needs to create users and groups (for pkgusers/pkggroups). This means that if you are in 'abuild' group you can create any user or group and add any user to any group. We only need the user within fakeroot so you from package() function can set permissions of files and dirs within the package. To solve this, we could either create fake users for fakeroot (so fakeroot belives that user exists) or we would need to have a tar-fork that could set ownership on given files when creating the archive. That way, the user don't need exist on the building system. > > You can still build packages with abuild without needing sudo but then > > all the dependencies needs to be installed already: > > SUDO_APK=apk abuild > > > > The motivation behind abuild group was to make it convenient to set up > > a build server. Might be we want change the default back to sudo. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---