source: devel/pb-doc/SECURITY

Last change on this file was 2289, checked in by bruno, 3 months ago

Fix pb.conf old usage

  • Fix build for pod doc
  • Fix remaining ref to pb.conf
File size: 4.7 KB
Line 
1Security infos
2==============
3In order to work correctly, pb needs some root access to perform certain activities.
4This is done by calls to sudo.
5However, by default all actions are performed with an unpriviledge user (the one using pb or the pb user if working on VM/VE/RM)
6Security is not considered a constaint when pb is generating the build environment itself, such as for VM and VE. So, in these cases, the sudo configuration allows the pb user to do all commands without password in the VM or to perform locally all actions for the VE management, by being granted full local access.
7However, when using pb with RM, as the systems may pre-exist and be used for other tasks, a strict analysis of the actions performed is required, in order to restrict precisely the commands called with sudo priviledges, as these are done without password request to automate generation.
8
9In the Distributions.pm module there are sudo calls, corresponding to the abilty to configure automatically additional repositories. That feature may not be used on RM or solved manually without problem. In case this is used, and sudo isn't configured accordingly, then the additional repo will NOT be added and the build will probably fail.
10
11In the default pb.yml main configuration files, parameters for osupd and osins for the various distributions call sudo to make the installation of missing packages. These calls are done as 'pb' user by default (or the account configured as rmlogin in the configuration file). In case this is used, and sudo isn't configured accordingly, then the additional required packages will NOT be added and the build will probably fail.
12For RM, we may consider that all required packages for the build are already installed on the system, or give rpm/yum/dnf/apt/urpmi/zypper... sudo rights to the build account manually.
13Recommended for a manual setup (not using rmsetup): Add manually to your system sudo access for the pb account to the local package install and update command such as /bin/rpm e.g:
14cat >> /etc/sudoers << EOF
15pb  localhost=/bin/rpm NOPASSWD:
16EOF
17
18
19In order to handle correctly RM, we need to consider they are well managed, and already have NTP configuration correctly setup. You may also allow pb to setup date on your RM, if you consider it harmful. pb will use the configuration parameter
20
21All:
22sudo $vntpcmd $vntp (Command extracted from a local conf file => Potential Security issue for RM)
23sudo /bin/date
24
25The default /etc/sudoers file created for VM/VE contains:
26Defaults:pb env_keep += "http_proxy https_proxy ftp_proxy"
27Defaults:pb !requiretty
28pb ALL=(ALL) NOPASSWD:ALL
29
30For VM, we have just one sudo call that is required for pb to halt the VM. They are launched in the VM. Again, no special security feature is provided, as we consider that the pb account should do what he wants in the VM. Please report to dev team any concern you have around this.
31sudo $hpath/halt $hoption
32
33For VE, we have this list of additional sudo calls that are required for pb to work correctly. They are launched on the main system, but target the chroot. Again, no special security feature is provided, as we consider that the pb account should do what he wants in the chroot. But some commands need to be executed from the host environement, and thus should be looked at closely anyway. Please report to dev team any concern you have around this.
34shcmd: sudo /usr/sbin/chroot $tpdir
35shcp : sudo /bin/cp -r
36(These 2 commands are used a lot to setup the chroot correctly)
37sudo chown -R $mac $tdir
38sudo chown $UID $ENV{'PBBUILDDIR'}/pbgen-$ENV{'PBPROJVER'}-$ENV{'PBPROJTAG'}.$$"
39sudo tar cz  -C $tpdir -f $vepath->{$ENV{'PBPROJ'}}/$odir-$over-$oarch.tar.gz .
40sudo rinse|rpmbootstrap|mock|debootstrap
41sudo cp /etc/hosts $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}/etc/hosts
42sudo chmod 755 $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'} $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'} $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'}
43sudo rm -rf $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'} ; sudo mkdir -p $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'} ; sudo tar xz  -C $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}/$pbos->{'version'}/$pbos->{'arch'} -f $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}-$pbos->{'version'}-$pbos->{'arch'}.tar.gz
44sudo /bin/mount -t proc /proc /proc
45sudo /bin/umount /proc
46sudo rm -f $vepath->{$ENV{'PBPROJ'}}/$pbos->{'name'}-$pbos->{'version'}-$pbos->{'arch'}.tar.gz
47
48Here is a list of commands called locally to build on some Linux distributions special cases:
49For gentoo: sudo sh -c 'echo PORTDIR_OVERLAY=\"$ENV{'HOME'}/portage\" >> /etc/make.conf'
50For Slackware (TBC): sudo /sbin/makepkg -p -l y -c y $pbpkg
Note: See TracBrowser for help on using the repository browser.