Mike McLean <mikem(a)redhat.com> writes:
> This patch adds a 'koji-helper' setuid program which
implements the
> following methods:
> Methods above are implemented to replace the python 'safe_rmtree()' method
> which was never safe, nor will work when 'kojid' is running as non-root.
It all depends on what you mean by safe
Definitively not the racy
| find ... | xargs rm
...
The safe_rmtree function protects against the destruction of stray
mounts underneath the buildroot. This is a serious risk, though perhaps
some folks will not appreciate how serious until they are debugging a
buildroot, add a mount, and accidentally delete its contents when the
buildroot is cleaned.
Your patch seems to remove this protection.
no; it does not cross filesystem borders.
I designed kojid to run as root, and I don't see that as a
problem. Many
daemons run as root and kojid has more need of it than most.
What are these needs? 'kojid' runs perfectly as non-root.
I do not like the old mock security model and I consider it flawed.
I
have no desire to emulate it in koji.
Yes; mock's helper binary is full of races and broken constraints :(
Enrico