On Fri, Oct 7, 2011 at 4:18 AM, Glyph <gl...@twistedmatrix.com> wrote: > On Oct 7, 2011, at 5:10 AM, Stephen J. Turnbull wrote: > > The principle here is "ran as root" without further explanation is a > litmus test for "not bothering about security", even today. It's > worth asking for explanation, or at least a comment that "all the > buildbot contributors I've talked to have put a lot of effort into > security configuration". > > This is a valid point. I think that Cameron and I may have had > significantly different assumptions about the environment being discussed > here. I may have brought some assumptions about the build farm here that > don't actually apply to the way Python does it. > To sum up what I believe is now the consensus from this thread: > > Anyone setting up a buildslave should take care to invoke the build in an > environment where an out-of-control buildbot, potentially executing > arbitrarily horrible and/or malicious code, should not damage anything. > Builders should always be isolated from valuable resources, although the > specific mechanism of isolation may differ. A virtual machine is a good > default, but may not be sufficient; other tools for cutting of the builder > from the outside world would be chroot jails, solaris zones, etc. > Code runs differently as privileged vs. unprivileged users. Therefore > builders should be set up in both configurations, running the full test > suite, to ensure that all code runs as expected in both configurations. > Some tests, as the start of this thread indicates, must have some special > logic to make sure they do or do not run, or run differently, in privileged > vs. unprivileged configurations, but generally speaking most things should > work in both places. > Access to root my provide access to slightly surprising resources, even > within a VM (such as the ability to send spoofed IP packets, change the MAC > address of even virtual ethernet cards, etc), and administrators should be > aware that this is the case when configuring the host environment for a > run-as-root builder. You don't want to end up with a compromised test VM > that can snoop on your network. > > Have I left anything out? :-) > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/ericsnowcurrently%40gmail.com > >
I've created an issue with a patch for a dedicated page in the devguide on running a build slave[1]. I've included the information from this thread on that page. I realize that the thread still has some juice in it, so the info I copied from this thread is likely incomplete and/or too much detail, but I wanted to get the devguide page rolling. -eric [1] http://bugs.python.org/issue13124 _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
