On 27.03.2018 09:22, Julien Cristau wrote: > On 03/22/2018 10:31 PM, Aurelien Jarno wrote: >> To do more tests I agree that we should deploy it on more buildds. For >> *this phase*, I believe enabling lingering and deploying it by hand is >> the best. Is it something acceptable? >> > Sounds ok to me, though I'd prefer if the buildd user (as in the user > the service runs as) didn't have write access to the deployed code or > configuration. Maybe that's a later step though.
Does that really matter? If we were to use user sessions it's a little hard to prevent that. Unless we tighten up the permissions to make all service directories owned by someone else, which then makes sudo'ing to that user a little awkward. Plus chown'ing files around. Because otherwise someone with write access to ~buildd's home can still juggle around things. We could run the build as a different user in theory, but that's somewhat hard with sbuild right now unless we "sudo -u" over when executing sbuild. And then we need to manage files as a different user as well. If the threat model is that the ongoing build tampers with the files, I'm open to constrain the build environment even further. Unfortunately while it seems that a newer schroot version (in a branch that did not receive any updates for years anymore) would support those, that version has just been removed from experimental. That all said: I'm happy to brainstorm and to implement proposed solutions. Right now that seems to require more infrastructural changes though and I'd rather focus on getting rid of buildd itself first. Kind regards and thanks Philipp Kern
