Patchwatcher security improvements
ambro at b4ever.net
Wed Sep 10 11:04:53 CDT 2008
Dan Kegel wrote:
> So the slave can be in another real machine, another virtual machine, or
running as another user; anything as long as it can get read/write access to
its subdirectory of the shared directory.
The problem with your design right now is that you want to run the slave in
some isolated environment and expect it to be secure. The build slave itself
is a mission-critical process and putting it in a quarantine to run together
with untrusted code allows malicious patches to interfere with its operation.
This means an attacker can just kill it from inside his patch, causing the
whole patch building operation to fail, or corrupt the baseline tree, or send
hundreds of fake emails through the slave interface.
So I plan to run the build slave itself in a trusted environment, but make it
quarantine individual build operations (similar to my previous design with
user switching). This way the impact of an attack is highly limited - all it
can theoretically do is fake his own patch results.
More information about the wine-devel