Closed Bug 1240888 Opened 8 years ago Closed 7 years ago

prevent buildbot starting as root

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: catlee, Unassigned)

Details

Attachments

(4 files)

bug1240888_Makefile.patch
1.24 KB, patch
kmoir
: review+
vciobancai
: checked-in+
Details | Diff | Splinter Review
bug1240888.output
2.65 KB, text/plain
Details
bug1240888_buildbot.patch
1.29 KB, patch
kmoir
: review+
vciobancai
: checked-in+
Details | Diff | Splinter Review
bug1240888_buildbot - Copy.output
7.43 KB, text/plain
Details 
We had some problems last week that were a result of buildbot being started as root on a few of our machines. We should modify the 'buildbot' script so that it exits with a failure message if you try and run it as root.
Assignee: nobody → vlad.ciobancai
Attached you can find the patch where I updated MAKEFILE in order to check if the make command is run as root for all the actions
Attachment #8709895 - Flags: review?(kmoir)
Attached file bug1240888.output 
Attached the output from the tests that I made on dev-master2
Attachment #8709895 - Flags: review?(kmoir) → review+
Looks good, but I think in this case the problem was that somebody ran 'buildbot start' directly, bypassing the Makefile.
(In reply to Chris AtLee [:catlee] from comment #3)
> Looks good, but I think in this case the problem was that somebody ran
> 'buildbot start' directly, bypassing the Makefile.

:catlee do you want us to try to find a way to block when a user tries to start a buildbot by using root account and not using the Makefile?
yes, since that's the ultimate script that is being run, I think the safest thing is to have it prevent itself running as root.
Attached you can find the patch for buildbot script.
The patch check if the script is started, restarted or reconfig under root account, if yes the script will exit.
Attachment #8710344 - Flags: review?(kmoir)
Attached you can find the output from the tests that I made on dev-master2
Attachment #8710344 - Flags: review?(kmoir) → review+
:kmoir :catlle can I close this bug ?
Flags: needinfo?(kmoir)
Flags: needinfo?(catlee)
This needs to be deployed to take effect.
Flags: needinfo?(catlee)
(In reply to Chris AtLee [:catlee] from comment #9)
> This needs to be deployed to take effect.

The patch has been pushed to default branch.
I don't know if this is worth updating all the masters with given that 1) we don't have a really good story for updating them all pulling the latest code in and hoping that it works 2) buildbot is on it's way out.  There are other changes too if you compare default and production-0.8.
Flags: needinfo?(kmoir)
(In reply to Kim Moir [:kmoir] from comment #11)
> I don't know if this is worth updating all the masters with given that 1) we
> don't have a really good story for updating them all pulling the latest code
> in and hoping that it works 2) buildbot is on it's way out.  There are other
> changes too if you compare default and production-0.8.

Though its still a footgun, noteworthy is that jlund also accidentally started buildbot as root just yesterday on a misbehaving master... and though buildbot is on its way out there is still a long tail there.
Assignee: vciobancai → nobody
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: