[Python-Dev] cpython (3.2): Issue #11956: Skip test_import.test_unwritable_directory on FreeBSD when run as

Sat Oct 8 14:27:53 CEST 2011

Stephen J. Turnbull wrote:
> Andrew Bennetts writes:
> 
>  > No, that just means you shouldn't trust *root*.  Which is where a
>  > VM is a very useful tool.  You can have the “as root” environment
>  > for your tests without the need to have anything important trust it.
> 
> Cameron acknowledges that he missed that.  So maybe he was right for
> the wrong reason; he's still right.  But in the current context, it is
> not an argument for not worrying, because there is no evidence at all
> that the OP set up his buildbot in a secure sandbox.  As I read his
> followups, he simply "didn't bother" to set up an unprivileged user
> and run the 'bot as that user.

I made no claim about how the bot was deployed.  The point I was
disputing was more general than how one specific bot is deployed.  To
quote the mail I was replying to again: “HOWEVER, the whole suite should
not be _tested_ as root because the code being testing is by definition
untrusted.”  This sentiment was expressed strongly and repeatedly in
several mails.  It was this overly broad assertion I was addressing, and
happily my argument was apparently convincing.

I'm fine with “It's not worth running the tests as root because the
overhead of making a secure setup for it with a VM etc is too hard with
our very limited volunteer resources.”  I'm not fine with “We mustn't
run them as root because it's impossible to do it safely.”  That's all
I'm saying.

[…]
> that was *not* the case; the assumption is falsified.  Nevertheless,
> several people who I would have thought would know better are *all*
> arguing from the assumption that the OP configured his test system
> with security (rather than convenience) in mind, and are castigating
> Cameron for *not* making that same assumption.  To my mind, every post
> is increasing justification for his unease. :-(

I certainly hope I wasn't so severe as to be castigating!  If I was
Cameron has been kind enough to not show any offense.

> And that's why this thread belongs on this list, rather than on Bruce
> Schneier's blog.  It's very easy these days to set up a basic personal
> VM, and folk of goodwill will do so to help the project with buildbots
> to provide platform coverage in testing new code.  But this
> contribution involves certain risks (however low probability, some
> Very Bad Things *could* happen).  Contributors should get help in
> evaluating the potential threats and corresponding risks, and in
> proper configuration.  Not assurances that nothing will go wrong
> "because you probably run the 'bot in a VM."

For the record, in case it isn't obvious, I think a buildslave that runs
the tests as root that doesn't take precautions like using a VM
dedicated to just running the tests (and not running the buildslave) is
a bad idea.  Although given that there's a very limited supply of volunteer
labour involved in configuring and administering buildslaves I'm not
surprised to hear this has happened. :(

I don't object at all to folks like Cameron asking questions to ensure
that these systems are secure enough.  I think that's a good thing!  I
don't even object to treating someone saying “run as root” as a red flag
requiring further explanation.  What I was objecting to was an apparent
willingness to make an unnecessary compromise on software quality.  I
care about the security of contributors' buildslaves.  I also care about
the reliability of Python.

-Andrew.