[Python-Dev] cpython (3.2): Issue #11956: Skip test_import.test_unwritable_directory on FreeBSD when run as
Cameron Simpson
cs at zip.com.au
Fri Oct 7 12:40:18 CEST 2011
On 07Oct2011 06:18, Glyph <glyph at twistedmatrix.com> wrote:
| On Oct 7, 2011, at 5:10 AM, Stephen J. Turnbull wrote:
|
| > The principle here is "ran as root" without further explanation is a
| > litmus test for "not bothering about security", even today. It's
| > worth asking for explanation, or at least a comment that "all the
| > buildbot contributors I've talked to have put a lot of effort into
| > security configuration".
|
| This is a valid point. I think that Cameron and I may have
| had significantly different assumptions about the environment being
| discussed here. I may have brought some assumptions about the build
| farm here that don't actually apply to the way Python does it.
Likewise. I state now that I have no actual knowledge of the practices
in the build farm(s).
| To sum up what I believe is now the consensus from this thread:
|
| Anyone setting up a buildslave should take care to invoke the build in
| an environment where an out-of-control buildbot, potentially executing
| arbitrarily horrible and/or malicious code, should not damage anything.
| Builders should always be isolated from valuable resources, although
| the specific mechanism of isolation may differ. A virtual machine is a
| good default, but may not be sufficient; other tools for cutting of the
| builder from the outside world would be chroot jails, solaris zones, etc.
|
| Code runs differently as privileged vs. unprivileged users. Therefore
| builders should be set up in both configurations, running the full test
| suite, to ensure that all code runs as expected in both configurations.
| Some tests, as the start of this thread indicates, must have some
| special logic to make sure they do or do not run, or run differently,
| in privileged vs. unprivileged configurations, but generally speaking
| most things should work in both places.
|
| Access to root my provide access to slightly surprising resources,
| even within a VM (such as the ability to send spoofed IP packets,
| change the MAC address of even virtual ethernet cards, etc), and
| administrators should be aware that this is the case when configuring
| the host environment for a run-as-root builder. You don't want to end
| up with a compromised test VM that can snoop on your network.
|
| Have I left anything out? :-)
I think that the build and the tests should be different security
scopes/zones/levels: different users or different VMs. Andrew's
suggestion of a VM-for-tests sounds especially good.
And that I think the as-root tests suite shouldn't run unless the
not-root test suite passes.
Cheers,
--
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/
It is not true that life is one damn thing after another -- it's one damn
thing over and over. - Edna St. Vincent Millay
More information about the Python-Dev
mailing list