Mock and consolehelper

Tomas Mraz tmraz at redhat.com
Wed Dec 19 08:25:20 UTC 2007


On Wed, 2007-12-19 at 07:19 +0000, Kevin Kofler wrote:
> I have noticed that mock in Rawhide has been changed to drop the SUID helper, 
> instead consolehelper is used to run the entire mock as root. IMHO, this is a 
> regression:
> * It now means you have to know the root password to run mock. Before, it was 
> possible to give out mock access and only that simply by making the user a 
> member of the mockbuild group. Now the only way to do that is to allow running 
> all of mock as root, which probably opens up several ways to get full root 
> access from there.
You can configure access to mock through the /etc/pam.d/mock file and it
currently already should allow to non-interactive use by users in group
mock. There is:

auth            sufficient      pam_rootok.so
auth            sufficient      pam_succeed_if.so user ingroup mock use_uid quiet

> * It means mock has to be run interactively. What are the implications of this 
> on the builders? Will they have to install all of mock SUID root, or set up 
> consolehelper in a way which effectively does the same?
> * It reduces security, as instead of a small helper doing only a few controlled 
> operations, you now run all of mock as root. Sure, it's Python, so buffer 
> overflows probably can't happen, but still, trigger any bug in mock with a 
> trojaned SRPM and you have root.
mock could still drop priviledges - change to mock user or whatever as
soon as it doesn't need to be root anymore.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb




More information about the fedora-devel-list mailing list