[Python-Dev] cpython (3.2): Issue #11956: Skip test_import.test_unwritable_directory on FreeBSD when run as

Glyph glyph at twistedmatrix.com
Fri Oct 7 12:18:55 CEST 2011

On Oct 7, 2011, at 5:10 AM, Stephen J. Turnbull wrote:

> The principle here is "ran as root" without further explanation is a
> litmus test for "not bothering about security", even today.  It's
> worth asking for explanation, or at least a comment that "all the
> buildbot contributors I've talked to have put a lot of effort into
> security configuration".

This is a valid point.  I think that Cameron and I may have had significantly different assumptions about the environment being discussed here.  I may have brought some assumptions about the build farm here that don't actually apply to the way Python does it.

To sum up what I believe is now the consensus from this thread:

Anyone setting up a buildslave should take care to invoke the build in an environment where an out-of-control buildbot, potentially executing arbitrarily horrible and/or malicious code, should not damage anything.  Builders should always be isolated from valuable resources, although the specific mechanism of isolation may differ.  A virtual machine is a good default, but may not be sufficient; other tools for cutting of the builder from the outside world would be chroot jails, solaris zones, etc.
Code runs differently as privileged vs. unprivileged users.  Therefore builders should be set up in both configurations, running the full test suite, to ensure that all code runs as expected in both configurations.  Some tests, as the start of this thread indicates, must have some special logic to make sure they do or do not run, or run differently, in privileged vs. unprivileged configurations, but generally speaking most things should work in both places.
Access to root my provide access to slightly surprising resources, even within a VM (such as the ability to send spoofed IP packets, change the MAC address of even virtual ethernet cards, etc), and administrators should be aware that this is the case when configuring the host environment for a run-as-root builder.  You don't want to end up with a compromised test VM that can snoop on your network.

Have I left anything out? :-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20111007/a0453f19/attachment.html>

More information about the Python-Dev mailing list