Re: mpgrafic - mpirun test program as root in automatic build
On Thu, Jan 19, 2017 at 08:21:36AM +0800, Paul Wise wrote: > On Thu, Jan 19, 2017 at 7:44 AM, Sean Whitton wrote: > > > This is temporarily false: #852071 > > Is there a typo in that bug? I get a 404 #851071, sorry! -- Sean Whitton signature.asc Description: PGP signature
Re: mpgrafic - mpirun test program as root in automatic build
On Thu, Jan 19, 2017 at 7:44 AM, Sean Whitton wrote: > This is temporarily false: #852071 Is there a typo in that bug? I get a 404 -- bye, pabs https://wiki.debian.org/PaulWise
Re: mpgrafic - mpirun test program as root in automatic build
Hello, On Wed, Jan 18, 2017 at 02:25:41PM +0800, Paul Wise wrote: > On Wed, Jan 18, 2017 at 5:13 AM, Boud Roukema wrote: > > > I've looked a bit at buildd.debian.org, but it's not completely > > trivial to decide which is correct - do the buildd builds on the > > debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged > > user running fakeroot, or as (iii) an unprivileged user? > > (iii) an unprivileged user > > fakeroot is only used at `debian/rules install` time. This is temporarily false: #852071 -- Sean Whitton signature.asc Description: PGP signature
Re: mpgrafic - mpirun test program as root in automatic build
Paul Wisewrites: > On Wed, Jan 18, 2017 at 3:58 PM, Ole Streicher wrote: > >> Also when using cowbuilder? At least I see the whole build done by root >> when running in my cowbuilder chroot. That was the point that lead to >> the trouble here... > > Yep. I tested this with id and override_dh_auto_* in cowbuilder: > > fakeroot debian/rules clean >debian/rules override_dh_auto_clean > uid=0(root) gid=0(root) groups=0(root),1234(pbuilder) > debian/rules build >debian/rules override_dh_auto_configure > uid=1234(pbuilder) gid=1234(pbuilder) groups=1234(pbuilder) >debian/rules override_dh_auto_build > uid=1234(pbuilder) gid=1234(pbuilder) groups=1234(pbuilder) >debian/rules override_dh_auto_test > uid=1234(pbuilder) gid=1234(pbuilder) groups=1234(pbuilder) > fakeroot debian/rules binary >debian/rules override_dh_auto_install > uid=0(root) gid=0(root) groups=0(root),1234(pbuilder) OK, I finally found it: I had a line BUILDUSERNAME= in my .pbuilderrc, which was obviously interpreted as root. Thanks Ole
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, Jan 18, 2017 at 3:58 PM, Ole Streicher wrote: > Also when using cowbuilder? At least I see the whole build done by root > when running in my cowbuilder chroot. That was the point that lead to > the trouble here... Yep. I tested this with id and override_dh_auto_* in cowbuilder: fakeroot debian/rules clean debian/rules override_dh_auto_clean uid=0(root) gid=0(root) groups=0(root),1234(pbuilder) debian/rules build debian/rules override_dh_auto_configure uid=1234(pbuilder) gid=1234(pbuilder) groups=1234(pbuilder) debian/rules override_dh_auto_build uid=1234(pbuilder) gid=1234(pbuilder) groups=1234(pbuilder) debian/rules override_dh_auto_test uid=1234(pbuilder) gid=1234(pbuilder) groups=1234(pbuilder) fakeroot debian/rules binary debian/rules override_dh_auto_install uid=0(root) gid=0(root) groups=0(root),1234(pbuilder) -- bye, pabs https://wiki.debian.org/PaulWise
Re: mpgrafic - mpirun test program as root in automatic build
Paul Wisewrites: > On Wed, Jan 18, 2017 at 3:37 PM, Boud Roukema wrote: > >> I guess by "both of these" you mean "most of the build steps (apart from >> the 'debian/rules install' step)"? > > What I wrote wasn't clear and wasn't strictly true, sorry! > > When manually building from source: > > You always build/test as a normal user. > You install as either root or normal user, depending on the install > prefix. > > When doing Debian package builds: > > You always build/test as a normal user. > You always install using fakeroot. Also when using cowbuilder? At least I see the whole build done by root when running in my cowbuilder chroot. That was the point that lead to the trouble here... Best Ole
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, 18 Jan 2017, Paul Wise wrote: When manually building from source: You always build/test as a normal user. You install as either root or normal user, depending on the install prefix. When doing Debian package builds: You always build/test as a normal user. You always install using fakeroot. Thanks for the clarification :). That's consistent with my experience, and seems like reasonable policy. Cheers Boud
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, Jan 18, 2017 at 3:37 PM, Boud Roukema wrote: > I guess by "both of these" you mean "most of the build steps (apart from > the 'debian/rules install' step)"? What I wrote wasn't clear and wasn't strictly true, sorry! When manually building from source: You always build/test as a normal user. You install as either root or normal user, depending on the install prefix. When doing Debian package builds: You always build/test as a normal user. You always install using fakeroot. -- bye, pabs https://wiki.debian.org/PaulWise
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, 18 Jan 2017, Paul Wise wrote: On Wed, Jan 18, 2017 at 5:13 AM, Boud Roukema wrote: I've looked a bit at buildd.debian.org, but it's not completely trivial to decide which is correct - do the buildd builds on the debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged user running fakeroot, or as (iii) an unprivileged user? (iii) an unprivileged user fakeroot is only used at `debian/rules install` time. Both of these are the same as if you were building manually from source. I guess by "both of these" you mean "most of the build steps (apart from the 'debian/rules install' step)"? cheers boud
Re: mpgrafic - mpirun test program as root in automatic build
On Wed, Jan 18, 2017 at 5:13 AM, Boud Roukema wrote: > I've looked a bit at buildd.debian.org, but it's not completely > trivial to decide which is correct - do the buildd builds on the > debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged > user running fakeroot, or as (iii) an unprivileged user? (iii) an unprivileged user fakeroot is only used at `debian/rules install` time. Both of these are the same as if you were building manually from source. -- bye, pabs https://wiki.debian.org/PaulWise
Re: mpgrafic - mpirun test program as root in automatic build
On Tue, 17 Jan 2017, James Cowgill wrote: I'm not sure I follow. Debhelper runs the testsuite during the build target so it shouldn't be run as root anyway. I don't think you need any workarounds at all for this. I agree in terms of principles :), but I don't know what actually happens on the buildd machines. I've looked a bit at buildd.debian.org, but it's not completely trivial to decide which is correct - do the buildd builds on the debian build machines run dh_auto_tests as (i) root, as (ii) an unprivileged user running fakeroot, or as (iii) an unprivileged user? Looking at git://git.debian.org/buildd-tools/sbuild.git it looks like the user is "buildd" - but this is just a guess. The mpirun exit-if-root mechanism is in openmpi-2.0.2~git.20161225/orte/orted/orted_submit.c Isolating this to lines 319-335, this is easy to test as a standalone main program (see snippet.c below) - the exit-if-root test is triggered either (i) using root directly, or (ii) as ordinary user running fakeroot. Even as fakeroot, both geteuid() and getuid() in the snippet below report an identity of 0. My own pbuilder setup - closely following the maint-guide.en.txt advice - appears *not* to run "make check" as fakeroot or root, since I do not see the error and exit due to running as root. The snippet below can be tested: user$ ./snippet user$ fakeroot ./snippet root# ./snippet Cheers Boud -- /* inspired by openmpi-2.0.2~git.20161225/orte/orted/orted_submit.c root detection */ /* (C) 2017 GPL-3+ B. Roukema if copyright is needed */ #include #include #include int main(void) { int uid = 77 , euid = ; euid = geteuid(); uid = getuid(); if (0 == euid){ printf("WARNING: You are effectively root.\n"); }; if (0 == uid){ printf("WARNING: You are really root.\n"); }; if (0 != uid && 0 != euid){ printf("You are not running as root :).\n"); } return 0; } --
Re: mpgrafic - mpirun test program as root in automatic build
James Cowgillwrites: > On 16/01/17 23:58, Boud Roukema wrote: >> Since, in general, there is no reason for mpirun to run as root, >> the sid version of mpirun (from openmpi) apparently refuses to run as root. >> (I have not reproduced this behaviour myself - Ole Streicher >> has warned me about it.) The openmpi developers provide an option >> --allow-run-as-root. > > I'm not sure I follow. Debhelper runs the testsuite during the build > target so it shouldn't be run as root anyway. I don't think you need any > workarounds at all for this. I (as Bouds sponsor) have the problem that in my cowbuilder the build is done as root, leading to the questioned error message and a failure of the test and the build. Maybe in my setup something is wrong? Best regards Ole
Re: mpgrafic - mpirun test program as root in automatic build
Hi, On 16/01/17 23:58, Boud Roukema wrote: > hi Debian-mentors, > > Is it reasonable to override the mpirun (openmpi_2.0.2~git.20161225-8) > default preference of refusing to run as root? > > I've started packaging mpgrafic for debian - this is my first > debianisation, apart from minor private hacks after extracting debian > source packages: > > https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/ > > I've added regression-test-0.3.7.sh to the upstream version of > mpgrafic. This is a "reproducible run" test. The test runs the main > binary, mpgrafic, with a frontend "mpirun", which, in general, allows > a program to run on many different machines, without shared memory. > This test runs explicitly on exactly one processor, for reproducibility. > > Since, in general, there is no reason for mpirun to run as root, > the sid version of mpirun (from openmpi) apparently refuses to run as root. > (I have not reproduced this behaviour myself - Ole Streicher > has warned me about it.) The openmpi developers provide an option > --allow-run-as-root. > > In version 0.3.7.4-1, the debian-only, openmpi-only use of this option in > debian/rules + regression-test-0.3.7.sh > > https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/debian/rules > > https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/regression-test-0.3.7.sh > > > should presumably allow debian automatic builds to pass "make check". I'm not sure I follow. Debhelper runs the testsuite during the build target so it shouldn't be run as root anyway. I don't think you need any workarounds at all for this. James signature.asc Description: OpenPGP digital signature
mpgrafic - mpirun test program as root in automatic build
hi Debian-mentors, Is it reasonable to override the mpirun (openmpi_2.0.2~git.20161225-8) default preference of refusing to run as root? I've started packaging mpgrafic for debian - this is my first debianisation, apart from minor private hacks after extracting debian source packages: https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/ I've added regression-test-0.3.7.sh to the upstream version of mpgrafic. This is a "reproducible run" test. The test runs the main binary, mpgrafic, with a frontend "mpirun", which, in general, allows a program to run on many different machines, without shared memory. This test runs explicitly on exactly one processor, for reproducibility. Since, in general, there is no reason for mpirun to run as root, the sid version of mpirun (from openmpi) apparently refuses to run as root. (I have not reproduced this behaviour myself - Ole Streicher has warned me about it.) The openmpi developers provide an option --allow-run-as-root. In version 0.3.7.4-1, the debian-only, openmpi-only use of this option in debian/rules + regression-test-0.3.7.sh https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/debian/rules https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/regression-test-0.3.7.sh should presumably allow debian automatic builds to pass "make check". Is the choice to use the option --allow-run-as-root safe from a general system security point of view? My arguments against (i.e. it would be unsafe): * A newbie might download/extract the debian source as root, unintentionally modify the fortran source to do some dangerous things with files and directories, change the -n 1 option to -n 32 for a cluster of 4 machines each with 8 processors, and then try "make check". Since the --allow-run-as-root option is enabled in regression-test-0.3.7.sh, the newbie does some dangerous root operations. Counterarguments (i.e. it would be safe): ** If the newbie has ignored the recommendation of building debian packets from source with fakeroot debian/rules binary, then s/he is already taking superuser risks, and we can't do much to help him/her; ** Introducing system-dangerous operations in fortran is possible, but unlikely for someone just wishing to make a cosmology calculation; ** If the newbie modifies the -n 1 option, then s/he would see the much more obvious --allow-run-as-root option and should learn enough to realise that running as root is unlikely to be needed when compiling/running the package as an ordiner user. An alternative I see to enabling --allow-run-as-root would be e.g. adduser --no-create-home --disabled-password mpgrafic mpirun -n 1 ... ; deluser mpgrafic but that would unnecessarily require build dependence on adduser, and creating/removing users is itself a security-related issue that automated checkers (e.g. lintian) might (or should?) be concerned about. I'd like to rename mpgrafic-0.3.7.4 to 0.3.8 upstream, along with the debian versions 0.3.7.4-1 and 0.3.8-1, but first it would be good to hear some opinions on this. tracker: https://tracker.debian.org/pkg/mpgrafic Cheers Boud