Bug 1394300

Summary: RFE: Make "fedpkg local" run as nobody by default
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: fedpkgAssignee: Ondřej Nosek <onosek>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bochecha, cqi, dennis, lsedlar, onosek, pbabinca, s
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-06 00:55:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Hans de Goede 2016-11-11 15:36:13 UTC 
Although everyone should be aware that running build scripts from arbitrary sources can be dangerous I believe that many people will still do "fedpkg local" for a quick test when e.g. rebasing to a new upstream release.

I would like to see the risks of this migrated by "fedpkg local" by default running the build as nobody, so that no user files can be accessed by the build scripts. I'm thinking along the lines of generating a srpm first, put that under a (mkstemp made) tmpfile in /tmp and then kick-off some suid nobody helper to do the actual rpmbuild.

fedpkg local could provide a flag to override this behavior, but once supported I believe it should be the default.
Comment 1 Fedora End Of Life 2017-11-16 19:19:43 UTC 
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 2 Hans de Goede 2017-11-17 08:34:58 UTC 
Still relevant, changing version.
Comment 3 Ondřej Nosek 2019-04-03 17:17:37 UTC 
This issue has been unresolved for more than a year, and is going to be closed within a week if no further action is taken. If you feel this is in error, please contact me.
This is a cleaning process suggested by Jay Greguske. Copy of this ticket was already closed in JIRA tracker.
Comment 4 Fedora Admin XMLRPC Client 2020-03-23 16:40:21 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.