1394300 – RFE: Make "fedpkg local" run as nobody by default

Bug 1394300 - RFE: Make "fedpkg local" run as nobody by default

Summary: RFE: Make "fedpkg local" run as nobody by default

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fedpkg
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Ondřej Nosek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-11 15:36 UTC by Hans de Goede
Modified:	2020-05-06 00:55 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-06 00:55:21 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Hans de Goede 2016-11-11 15:36:13 UTC

Although everyone should be aware that running build scripts from arbitrary sources can be dangerous I believe that many people will still do "fedpkg local" for a quick test when e.g. rebasing to a new upstream release.

I would like to see the risks of this migrated by "fedpkg local" by default running the build as nobody, so that no user files can be accessed by the build scripts. I'm thinking along the lines of generating a srpm first, put that under a (mkstemp made) tmpfile in /tmp and then kick-off some suid nobody helper to do the actual rpmbuild.

fedpkg local could provide a flag to override this behavior, but once supported I believe it should be the default.

Comment 1 Fedora End Of Life 2017-11-16 19:19:43 UTC

This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 2 Hans de Goede 2017-11-17 08:34:58 UTC

Still relevant, changing version.

Comment 3 Ondřej Nosek 2019-04-03 17:17:37 UTC

This issue has been unresolved for more than a year, and is going to be closed within a week if no further action is taken. If you feel this is in error, please contact me.
This is a cleaning process suggested by Jay Greguske. Copy of this ticket was already closed in JIRA tracker.

Comment 4 Fedora Admin XMLRPC Client 2020-03-23 16:40:21 UTC

This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Note You need to log in before you can comment on or make changes to this bug.