[Pkg-javascript-devel] Bug#792064: Bug#792064: FTBFS: tests fail with CAP_DAC_OVERRIDE and without networking
Luca Bruno
lucab at debian.org
Thu Jul 16 09:54:41 UTC 2015
tags 792064 + fixed-upstream pending
forwarded 792064 https://github.com/libuv/libuv/pull/441
thanks
On Sun, 12 Jul 2015 20:02:24 +0100 solo-debianbugs at goeswhere.com wrote:
> > However, as this seems to be part of repro-build (which I do care about),
> > you can find a patch here that should fix it. Let me know if it works.
>
> Woo, thanks!
FYI, this has been merged upstream (both v0.10 and v1.x):
https://github.com/libuv/libuv/pull/441
> > > If you have CAP_DAC_OVERRIDE (e.g. you're running the build as root),
> >
> > Isn't this an incredibly bad practice?
>
> That builder (one I'm in the middle of writing!) runs stuff as "uid 0"
> inside an unprivileged LXC (i.e. in a new uid/pid/mount/... namespace),
> which is (I believe) supported for security, i.e. it should be safe.
> It's easy enough to flip the builder over to using a normal user
> inside the container, in the future.
Given the sheer number of namespace escape bugs we saw every month, I would
recommend against running as uid=0 inside LXC where not strictly needed.
IMHO it is still far too easy to escape to host, and builds usually do not
require it. Principle of least privilege, as always.
> I was under the impression that there was a policy entry requiring stuff
> to be buildable as root, so I thought I'd let it run as root for now.
> Otoh, I can't actually find said policy entry, nor one for requiring
> packages to build without networking; perhaps the latter covered simply
> by the requirement that there's no dependency on anything outside of
> main.
I don't have policy reference at hand, but I remember that as
"never retrieve stuff from the internet".
I think nowhere we mandate "build without any network interface/route".
Personally, I think this one is a sensible environment to support, though.
Cheers, Luca
--
.''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso)
: :' : The Universal O.S. | lucab (AT) debian.org
`. `'` | GPG: 0xBB1A3A854F3BBEBF
`- http://www.debian.org | Debian GNU/Linux Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20150716/5cb9e205/attachment-0001.sig>
More information about the Pkg-javascript-devel
mailing list