hosted reproducible package building with multiple developers?
Richard W.M. Jones
rjones at redhat.com
Wed Dec 8 22:02:58 UTC 2010
On Wed, Dec 08, 2010 at 04:50:11PM -0500, seth vidal wrote:
> On Wed, 2010-12-08 at 22:40 +0100, Till Maas wrote:
> > On Wed, Dec 08, 2010 at 09:00:51PM +0000, Richard W.M. Jones wrote:
> > > To the original poster: even a VM isn't a completely robust way of
> > > preventing root escalations. If the developers are all in your
> > > "organization", how about using a cluestick-based method to prevent
> > > them doing this?
> > I guess giving someone a shell account in a VM is usually not less safe
> > than giving someone shell access on the host of the VM, as long as the
> > VM does not use kvm and does not run as root. Because even if the user
> > could break out of the VM, he still has only the same privileges as when
> > he got a shell access to the host directly.
> the point is to make the vm's be entirely disposable.
> So you make the vm
> build the pkg in mock
> suck the results off
> destroy the vm
> nothing to risk, then.
If we're being picky then the hypervisor might be exploited during the
package build, with the exploit escalating to root on the host. It's
very hard to pull this off, but with security never say 'never'.
In any case, using sVirt (libvirt + SELinux) should help.
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
More information about the devel