[Python-Dev] More Buildbot Information in Devguide (Was: Re: cpython (3.2): Issue #11956: Skip test_import.test_unwritable_directory on FreeBSD when run as)

Fri Oct 7 20:21:38 CEST 2011

On Fri, Oct 7, 2011 at 4:18 AM, Glyph <glyph at twistedmatrix.com> wrote:
> On Oct 7, 2011, at 5:10 AM, Stephen J. Turnbull wrote:
>
> The principle here is "ran as root" without further explanation is a
> litmus test for "not bothering about security", even today.  It's
> worth asking for explanation, or at least a comment that "all the
> buildbot contributors I've talked to have put a lot of effort into
> security configuration".
>
> This is a valid point.  I think that Cameron and I may have had
> significantly different assumptions about the environment being discussed
> here.  I may have brought some assumptions about the build farm here that
> don't actually apply to the way Python does it.
> To sum up what I believe is now the consensus from this thread:
>
> Anyone setting up a buildslave should take care to invoke the build in an
> environment where an out-of-control buildbot, potentially executing
> arbitrarily horrible and/or malicious code, should not damage anything.
>  Builders should always be isolated from valuable resources, although the
> specific mechanism of isolation may differ.  A virtual machine is a good
> default, but may not be sufficient; other tools for cutting of the builder
> from the outside world would be chroot jails, solaris zones, etc.
> Code runs differently as privileged vs. unprivileged users.  Therefore
> builders should be set up in both configurations, running the full test
> suite, to ensure that all code runs as expected in both configurations.
>  Some tests, as the start of this thread indicates, must have some special
> logic to make sure they do or do not run, or run differently, in privileged
> vs. unprivileged configurations, but generally speaking most things should
> work in both places.
> Access to root my provide access to slightly surprising resources, even
> within a VM (such as the ability to send spoofed IP packets, change the MAC
> address of even virtual ethernet cards, etc), and administrators should be
> aware that this is the case when configuring the host environment for a
> run-as-root builder.  You don't want to end up with a compromised test VM
> that can snoop on your network.
>
> Have I left anything out? :-)
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> http://mail.python.org/mailman/options/python-dev/ericsnowcurrently%40gmail.com
>
>

I've created an issue with a patch for a dedicated page in the
devguide on running a build slave[1].  I've included the information
from this thread on that page.  I realize that the thread still has
some juice in it, so the info I copied from this thread is likely
incomplete and/or too much detail, but I wanted to get the devguide
page rolling.

-eric

[1] http://bugs.python.org/issue13124