Re: New Debian Package Customization HOWTO
On Sat, Jun 04, 2005 at 05:58:18PM -0700, Russ Allbery wrote:
> Roberto C Sanchez <roberto@familiasanchez.net> writes:
>
> > Today Kevin Mark poitned out[0] that I should turn a brief outline I
> > gave[1] on how to customize Debian pacakges into a full blown HOWTO. I
> > have done that and the result [2] is now available to the public. I
> > would like to announce it in the hopes that new and experienced Debian
> > developers and users will review it and provide some feedback. After a
> > week or so, I will probably submit it to some Debian-related wikis and
> > websites. But, I first want to make sure that it is in reasonable shape
> > before I *really* present it to the world :-)
>
> > [2] http://familiasanchez.net/~sanchezr/?page=debcustomize
>
> Eep, please don't tell people to give themselves full privileges with sudo
> unless they know what they're doing. The sudo configuration here is just
> to run pbuilder, right? If so, just recommend something like:
>
> bob ALL = NOPASSWD: /usr/sbin/pbuilder
> bob ALL = NOPASSWD: /usr/lib/pbuilder/pbuilder-satisfydepends
>
> This is sufficient in my experience.
It won't provide you with any additional security though, so it will
only give a false sense of security. If you can run pbuilder with any
argument, you can specify an arbitrary configfile, and that way have any
arbitrary command run as root. Even if it's only in the chroot, which I
didn't check right now, as root in a chroot you can break out and be
root on the host system.
--Jeroen
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply to: