Bug 1642840 - Please add a safe buildsys-only setting to dnf config
Summary: Please add a safe buildsys-only setting to dnf config
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Suchý
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1641191 1641187
TreeView+ depends on / blocked
 
Reported: 2018-10-25 08:02 UTC by Nicolas Mailhot
Modified: 2019-07-25 08:25 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Fedora Pagure fesco issue 2004 None None None 2018-10-25 08:02:11 UTC

Description Nicolas Mailhot 2018-10-25 08:02:11 UTC
In https://pagure.io/fesco/issue/2004 mizdebsk worries that enabling the pm request mock extension on Fedora build systems (copr and koji) would lead to evil, and that attackers could use it to convince mock to pass dangerous commands to dnf.

One could (and will) add some argument filtering mock-side, but that assumes mock devs are perfectly aware of all the settings added to dnf over time, and identify correctly and timely the dangerous combinations.

Therefore, from a security point of view, doing it at the mock level is a losing situation.

Please add a security jail setting to dnf, that could be put in the *repo files mock uses, and basically forbids dnf from doing anything except:
* installing/upgrading packages to the mock chroot or container from the repositories configured in the *repo files
* executing the corresponding scriptlets with the mock chroot or container

And that, no matter what CLI parameter overrides an attacker manages to get passed to dnf.

Regardless of what FESCO decides in the pagure ticket the same config is running on packager systems today, the mock on those systems is Fedora's first line of defense against compromised upstream sources, so it needs to be secured properly.

Comment 1 Jaroslav Mracek 2018-10-29 12:46:27 UTC
Please msuchy@redhat.com can you look at the request?

Comment 2 Nicolas Mailhot 2018-11-06 12:06:15 UTC
So, to build on the ideas raised in https://pagure.io/fesco/issue/2004 and https://github.com/rpm-software-management/mock/issues/218

Have a safe/restricted/secure dnf switch with a directory as switch argument that basically says:

"from now on only take into account the dnf config/repo files in directory, only perform install/updates, only use packages taken from the repos defined here, ignore any further argument that says otherwise"


Note You need to log in before you can comment on or make changes to this bug.