[Python-Dev] cpython (3.2): Issue #11956: Skip test_import.test_unwritable_directory on FreeBSD when run as (original) (raw)

Andrew Bennetts andrew at bemusement.org
Sat Oct 8 14:27:53 CEST 2011

Stephen J. Turnbull wrote:

Andrew Bennetts writes:

> No, that just means you shouldn't trust root. Which is where a > VM is a very useful tool. You can have the “as root” environment > for your tests without the need to have anything important trust it. Cameron acknowledges that he missed that. So maybe he was right for the wrong reason; he's still right. But in the current context, it is not an argument for not worrying, because there is no evidence at all that the OP set up his buildbot in a secure sandbox. As I read his followups, he simply "didn't bother" to set up an unprivileged user and run the 'bot as that user.

I made no claim about how the bot was deployed. The point I was disputing was more general than how one specific bot is deployed. To quote the mail I was replying to again: “HOWEVER, the whole suite should not be tested as root because the code being testing is by definition untrusted.” This sentiment was expressed strongly and repeatedly in several mails. It was this overly broad assertion I was addressing, and happily my argument was apparently convincing.

I'm fine with “It's not worth running the tests as root because the overhead of making a secure setup for it with a VM etc is too hard with our very limited volunteer resources.” I'm not fine with “We mustn't run them as root because it's impossible to do it safely.” That's all I'm saying.

[…]

that was not the case; the assumption is falsified. Nevertheless, several people who I would have thought would know better are all arguing from the assumption that the OP configured his test system with security (rather than convenience) in mind, and are castigating Cameron for not making that same assumption. To my mind, every post is increasing justification for his unease. :-(

I certainly hope I wasn't so severe as to be castigating! If I was Cameron has been kind enough to not show any offense.

And that's why this thread belongs on this list, rather than on Bruce Schneier's blog. It's very easy these days to set up a basic personal VM, and folk of goodwill will do so to help the project with buildbots to provide platform coverage in testing new code. But this contribution involves certain risks (however low probability, some Very Bad Things could happen). Contributors should get help in evaluating the potential threats and corresponding risks, and in proper configuration. Not assurances that nothing will go wrong "because you probably run the 'bot in a VM."

For the record, in case it isn't obvious, I think a buildslave that runs the tests as root that doesn't take precautions like using a VM dedicated to just running the tests (and not running the buildslave) is a bad idea. Although given that there's a very limited supply of volunteer labour involved in configuring and administering buildslaves I'm not surprised to hear this has happened. :(

I don't object at all to folks like Cameron asking questions to ensure that these systems are secure enough. I think that's a good thing! I don't even object to treating someone saying “run as root” as a red flag requiring further explanation. What I was objecting to was an apparent willingness to make an unnecessary compromise on software quality. I care about the security of contributors' buildslaves. I also care about the reliability of Python.

-Andrew.

More information about the Python-Dev mailing list