[Buildbot-devel] Running buildslaves in chroot

Michael Hansen michael.schacht.hansen at gmail.com
Sat Nov 29 22:07:00 UTC 2014 

Clearly one does not set up an automated build system to improve security,
but I was just wondering what is best practice. I really appreciate all the
thoughts that you guys have.

So if I run in a chroot jail (or lxc) as a non-privileges user. I just
tested that and it works fine. Now if I have a few steps that need root
privileges and to enable that I give the non privileged user the ability to
run sudo commands, isn't that (almost) as bad as running the buildslave
directly as root. It is one step more obscure, but would still be
fundamentally as vulnerable, right?

On Sat, Nov 29, 2014 at 4:42 PM, Dan Kegel <dank at kegel.com> wrote:

> I do all those things in the lxc container using sudo.
>
> In the end, a chroot or lxc build is about reproducibility, not real
> security.
> On Nov 29, 2014 1:29 PM, "Michael Hansen" <
> michael.schacht.hansen at gmail.com> wrote:
>
>> I guess my problem is that I would like to run things like debootstrap,
>> install packages, etc as part of the build process. So I would like for the
>> buildsystem to be able to do that. So clearly that is not ideal. But given
>> that a limited number of people can commit code and they all have root
>> access to the build system already (ie if they wanted to do something
>> malicious, there would be easier ways), does it add any additional risk to
>> run it as root in a chroot environment? The chroot environment would just
>> prevent anybody from accidentally wiping out the build host.
>>
>> On Sat, Nov 29, 2014 at 4:22 PM, Dan Kegel <dank at kegel.com> wrote:
>>
>>> Neither.  Run it as a normal user in an lxc environment (ideally an
>>> ephemeral one).
>>>
>>> Of course, that's only slightly more secure than running as a normal
>>> user in the main system, but it's something.
>>>
>>> On Sat, Nov 29, 2014 at 1:11 PM, Michael Hansen
>>> <michael.schacht.hansen at gmail.com> wrote:
>>> > Hi Dan,
>>> >
>>> > Thank you for your comments. Nothing is ever really perfectly safe. I
>>> guess
>>> > my question could also be rephrased as: what is best from a security
>>> > perspective? A) running buildslave as a regular user in the main
>>> system or
>>> > B) running it (as root) in a chroot environment?
>>> >
>>> > On Sat, Nov 29, 2014 at 4:01 PM, Dan Kegel <dank at kegel.com> wrote:
>>> >>
>>> >> I've been doing this with linux containers for some time.
>>> >>
>>> >> Containers are not yet a security solution.  You can escape out of a
>>> >> chroot jail (the exploit's a bit different for lxc containers, but
>>> >> still available).
>>> >>
>>> >> But it's worth it just for the isolation alone; my builds need to
>>> >> install debian packages, and I use ephemeral lxc containers for the
>>> >> linux buildslaves to get a fresh vanilla system every time.
>>> >>
>>> >>
>>> >> On Sat, Nov 29, 2014 at 12:46 PM, Michael Hansen
>>> >> <michael.schacht.hansen at gmail.com> wrote:
>>> >> > Hi,
>>> >> >
>>> >> > I have been using buildbot a while now, it has been a great help to
>>> our
>>> >> > project.
>>> >> >
>>> >> > I am looking to add some sophistication to our setup and I am
>>> >> > considering
>>> >> > running the buildslaves in chroot environment to a) be able to
>>> build for
>>> >> > multiple distros/releases on the same host, b) isolate the build
>>> slaves
>>> >> > from
>>> >> > the main system, and c) run a few build steps as root (we generate
>>> some
>>> >> > distribution images and root privileges are needed to run some of
>>> the
>>> >> > tools,
>>> >> > e.g. debootstrap and others).
>>> >> >
>>> >> > In my buildslaves i need access to the /proc (for some GPU unit
>>> tests)
>>> >> > filesystem so I mount that in the chroot environment but other than
>>> that
>>> >> > the
>>> >> > slave does not have access to the main system.
>>> >> >
>>> >> > My question is, is this safe? Are there any security issues with
>>> running
>>> >> > in
>>> >> > a chroot jail or is it inherently safer than running it in the main
>>> >> > system?
>>> >> >
>>> >> > Thanks,
>>> >> > Michael
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> ------------------------------------------------------------------------------
>>> >> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> >> > from Actuate! Instantly Supercharge Your Business Reports and
>>> Dashboards
>>> >> > with Interactivity, Sharing, Native Excel Exports, App Integration &
>>> >> > more
>>> >> > Get technology previously reserved for billion-dollar corporations,
>>> FREE
>>> >> >
>>> >> >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>> >> > _______________________________________________
>>> >> > Buildbot-devel mailing list
>>> >> > Buildbot-devel at lists.sourceforge.net
>>> >> > https://lists.sourceforge.net/lists/listinfo/buildbot-devel
>>> >> >
>>> >
>>> >
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://buildbot.net/pipermail/devel/attachments/20141129/c070f62c/attachment.html>

More information about the devel mailing list