[Pkg-javascript-devel] Bug#792064: Bug#792064: FTBFS: tests fail with CAP_DAC_OVERRIDE and without networking

Luca Bruno lucab at debian.org
Thu Jul 16 09:54:41 UTC 2015 

tags 792064 + fixed-upstream pending
forwarded 792064 https://github.com/libuv/libuv/pull/441
thanks

On Sun, 12 Jul 2015 20:02:24 +0100 solo-debianbugs at goeswhere.com wrote:
> > However, as this seems to be part of repro-build (which I do care about), 
> > you can find a patch here that should fix it. Let me know if it works.
> 
> Woo, thanks!

FYI, this has been merged upstream (both v0.10 and v1.x):
https://github.com/libuv/libuv/pull/441

> > > If you have CAP_DAC_OVERRIDE (e.g. you're running the build as root),
> > 
> > Isn't this an incredibly bad practice?
> 
> That builder (one I'm in the middle of writing!) runs stuff as "uid 0"
> inside an unprivileged LXC (i.e. in a new uid/pid/mount/... namespace),
> which is (I believe) supported for security, i.e. it should be safe.
> It's easy enough to flip the builder over to using a normal user
> inside the container, in the future.

Given the sheer number of namespace escape bugs we saw every month, I would
recommend against running as uid=0 inside LXC where not strictly needed.
IMHO it is still far too easy to escape to host, and builds usually do not 
require it. Principle of least privilege, as always.

> I was under the impression that there was a policy entry requiring stuff
> to be buildable as root, so I thought I'd let it run as root for now.
> Otoh, I can't actually find said policy entry, nor one for requiring
> packages to build without networking; perhaps the latter covered simply
> by the requirement that there's no dependency on anything outside of
> main.

I don't have policy reference at hand, but I remember that as 
"never retrieve stuff from the internet".
I think nowhere we mandate "build without any network interface/route".
Personally, I think this one is a sensible environment to support, though.

Cheers, Luca

-- 
 .''`.  ** Debian GNU/Linux **  | Luca Bruno (kaeso)
: :'  :   The Universal O.S.    | lucab (AT) debian.org
`. `'`                          | GPG: 0xBB1A3A854F3BBEBF
  `-     http://www.debian.org 	| Debian GNU/Linux Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20150716/5cb9e205/attachment-0001.sig>

More information about the Pkg-javascript-devel mailing list