[Buildbot-devel] How to not run as root?

Fawad Halim fawad at fawad.net
Mon Nov 8 15:07:00 UTC 2004


Hi,
   In case someone's interested, I'm attaching the runscript I use for 
my buildbot master. I'm using it under runit 
(http://smarden.org/runit/), but It'll probably work unchanged under 
daemontools with slight modification (i.e. replacing chpst with 
setuidgid). Like other runscripts, it starts out running as root, but 
runs the twistd itself as the specified user (buildbot here).

Regards
-fawad
Brian Warner wrote:

>>I don't know Twisted at all, so forgive me if this is an obvious question.
>>    
>>
>
>No worries.. having the 'twistd' launcher-program change uids for you is one
>of the weirder parts, so very little about it is obvious :).
>
>  
>
>>I am setting up BuildBot, but I want both the master and slaves to run 
>>as a specific user: primarily for security reasons, but also because the 
>>build/test process need to run as a certain user acount.
>>    
>>
>
>Sounds good. Nothing about the buildbot itself requires any particular user
>to run, but of course your build process will have its own requirements.
>There's no reason why it should need root privileges.
>
>  
>
>>However, if I try running the master with:
>>
>>$ su buildbot -c 'buildbot start .'
>>    
>>
>
>  
>
>>"/usr/local/lib/python2.3/site-packages/twisted/scripts/twistd.py", line 
>>134, in shedPrivileges
>>     switchUID(uid, gid, euid)
>>   File "/usr/local/lib/python2.3/site-packages/twisted/python/util.py", 
>>line 605, in switchUID
>>     setgid(gid)
>>OSError: [Errno 1] Operation not permitted
>>    
>>
>
>Curious.. I haven't seen this problem before. My hunch is that the .tap file
>was created by a different user (i.e. 'buildbot master' was run by one user,
>but 'buildbot start' is being run by a different one), and twistd is trying
>to switch back to that userid when it starts, and switching userids requires
>root privileges. This would be annoying, and the brief testing I just did
>suggests that it's probably something else, but it's worth a shot doing both
>the 'buildbot master' and the 'buildbot start' as the same user.
>
>Usually, when the buildbot is to be run as a different user than I'm
>currently under, I use sudo:
>
>% sudo -u buildbot buildbot start path/to/buildmaster
>
>It's conceivable that basic 'su' might behave slightly differently (how do
>they handle euid vs uid, for example?).
>
>And for long-term use, I usually set up a '@reboot' cronjob from the target
>user's account to start the buildbot at each reboot. The goal of the new
>debian packaging is to make a proper /etc/init.d/ script to start all system
>buildbots, but that hasn't received a whole lot of testing yet, so I wouldn't
>be surprised if there are some problems.
>
>Let me know if running both commands as the same users helps or not.. if not,
>I'll try to reproduce the problem here. What version of Twisted are you
>using?
>
>good luck,
> -Brian
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: run
URL: <http://buildbot.net/pipermail/devel/attachments/20041108/ea6540b2/attachment.ksh>


More information about the devel mailing list