X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from dal-a2.localdomain (unknown [74.117.189.115]) by mail.alpinelinux.org (Postfix) with ESMTP id E5C73DC0170 for ; Fri, 13 Dec 2013 15:23:28 +0000 (UTC) Received: from ncopa-desktop.alpinelinux.org (3.203.202.84.customer.cdi.no [84.202.203.3]) (using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ncopa@tanael.org) by dal-a2.localdomain (Postfix) with ESMTPSA id 1E92ABC1016; Fri, 13 Dec 2013 15:23:27 +0000 (UTC) Date: Fri, 13 Dec 2013 16:23:24 +0100 From: Natanael Copa To: Jim Pryor Cc: Alpine Subject: Re: [alpine-devel] a few abuild oddities Message-ID: <20131213162324.7f184f48@ncopa-desktop.alpinelinux.org> In-Reply-To: <1386731625.3969.58128045.74D3A3D7@webmail.messagingengine.com> References: <20131201174554.GB29236@zen> <20131201235659.GD29236@zen> <20131202142914.4438af81@ncopa-desktop.alpinelinux.org> <1386000265.25324.54500989.5FF25FA8@webmail.messagingengine.com> <20131203163409.2bfaef86@ncopa-desktop.alpinelinux.org> <20131204034711.GL29236@zen> <20131206114150.2257d596@ncopa-desktop.alpinelinux.org> <1386731625.3969.58128045.74D3A3D7@webmail.messagingengine.com> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-alpine-linux-uclibc) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 10 Dec 2013 22:13:45 -0500 Jim Pryor wrote: > On Fri, Dec 6, 2013, at 05:41 AM, Natanael Copa wrote: > > > > > Is it possible to use abuild for the full range of activities without > > > > > being in the abuild group? Do we just prompt with sudo or su in those > > > > > cases when needed? In that case the security-conscious solution will > > > > > just be don't add your users to the "abuild" group. The costs and > > > > > benefits of this would just need to be more clearly documented. > > > > > > > > You need either be in abuild group or have sudo permissions to use > > > > abuild -r for letting abuild install the deps for you. > > > > > > Ok, but they don't have to be permissions to use "sudo abuild -r ..." > > > WITHOUT PASSWORD, correct? That's the behavior I expect. > > > > I don't understand the question. Sorry. > > > > abuild will slap you in the face if you run abuild as root (sudo abuild) > > > > The point was that you on buildservers don't need to add user to > > sudoers (with NOPASSWD). Build servers cannot prompt for passwords. > > Sorry I wasn't clear. If I'm understanding right, here is how things > stand: > > One can't run abuild as root, or using "sudo abuild" (unless one > supplies the -F switch?). Correct. > > One option is to add the current user to the abuild group (log out and > log back in as needed). Then abuild can do everything it needs to do, > without prompting for any passwords. Correct. This would be equivalent to giving the user NOPASSWD sudo permissions for running apk, adduser and addgroup. (In practice it means full root privileges) > Another option is to do this: > > > > > To use sudo instead of abuild-apk you can set SUDO_APK="sudo apk" > > > > in /etc/abuild.conf (or just export SUDO_APK="sudo apk"). > > Then the user in question needs to have permissions to run the commands > abuilds wants to run in the /etc/sudoers file. If we're talking about a > build server, then those have to be NOPASSWD permissions. But if it's an > interactive machine, then the NOPASSWD permissions aren't needed, right? Correct. > Abuild will just invoke whatever you gave it as a SUDO_APK, and if that > in turn wants to demand passwords from the user, so be it. No problem > there, correct? As long as the APKBUILD does not set pkgusers or pkggroups it should be ok. I think you then have to set: ADDUSER="sudo adduser" ADDGROUP="sudo addgroup" -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---