Recommend:
do_elevated()
do_asuser()
To ensure that all calls are easy-to-audit. The elevate() and drop()
calls should be properly bracketed with a try/finally so that exceptions
do not interfere with dropping privs.
Along these lines, I also thought that the mount()/umount() code would
be best if it were pushed into the do() function.
As for the new mock, I would say patch format to the list is best for
small changes.
--
Michael
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Clark Williams
> Sent: Thursday, June 15, 2006 9:19 AM
> To: Discussion of Fedora build system
> Subject: First srpm built with new mock launcher + modified mock.py
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I actually built an SRPM last night, using a moderately
> hacked mock.py with the new mock launcher.
>
> After figuring out what Michael meant wrt uid/gid
> manipulation, I went into mock.py and added two methods to
> the Root class:
>
> elevate() - change uid to the effective uid (i.e. root)
> drop() - change uid back to real uid (i.e. your user id)
>
> I modified the startup code to save off effective and real
> uids and to set the realgid to the mock group. I then
> bracketed calls to "do" that require privileges (e.g. chroot,
> mount, etc.) to look like this:
>
> self.elevate()
> self.do(<privileged command>)
> self.drop()
>
> I had an elinks srpm hanging around and fired off a mock
> build of that package, which after finding a couple of calls
> that needed privileges, worked (I'm always amazed when that
> happens). Admittedly it's not a complex build, but it's a start.
>
> One thing I'm puzzled about is that the build worked on a
> system running SELinux and currently the SELinux preload
> isn't being done.
> Anyone have an example build that bombs because of SELinux
> when the LD_PRELOAD isn't done?
>
> I need to do a little tidying up of mock.py. The cache stuff
> is completely broken because the actual pack/unpack logic is
> in the now-defunct mock-helper. I got started moving it into
> mock.py, but was overcome with sleepiness last night and
> didn't finish. I'll try and send out a mock.py to the list
> today (or would you rather have a patch?). Just wanted some
> eyeballs on it to see if it's going in the right direction.
>
> Clark
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFEkWxuHyuj/+TTEp0RAhKNAJ0UNRD78/MRAZPe44ED/CWl8bRongCgwTbR
> Cmv9TG+KS2JYplFs6R7lVG8=
> =5hTr
> -----END PGP SIGNATURE-----
>
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
>
--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
