mpgrafic - mpirun test program as root in automatic build

To: debian-mentors@lists.debian.org
Cc: Boud Roukema <boud-debian@cosmo.torun.pl>
Subject: mpgrafic - mpirun test program as root in automatic build
From: Boud Roukema <boud-debian@cosmo.torun.pl>
Date: Tue, 17 Jan 2017 00:58:11 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.11.1701170002000.24600@adjani.astro.uni.torun.pl>
Reply-to: Boud Roukema <boud-debian@cosmo.torun.pl>

hi Debian-mentors,

Is it reasonable to override the mpirun (openmpi_2.0.2~git.20161225-8)
default preference of refusing to run as root?

I've started packaging mpgrafic for debian - this is my first
debianisation, apart from minor private hacks after extracting debian
source packages:

https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/

I've added regression-test-0.3.7.sh to the upstream version of
mpgrafic. This is a "reproducible run" test. The test runs the main
binary, mpgrafic, with a frontend "mpirun", which, in general, allows
a program to run on many different machines, without shared memory.
This test runs explicitly on exactly one processor, for reproducibility.

Since, in general, there is no reason for mpirun to run as root,
the sid version of mpirun (from openmpi) apparently refuses to run as root.
(I have not reproduced this behaviour myself - Ole Streicher
has warned me about it.) The openmpi developers provide an option
--allow-run-as-root.

In version 0.3.7.4-1, the debian-only, openmpi-only use of this option in
debian/rules + regression-test-0.3.7.sh

https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/debian/rules
https://anonscm.debian.org/cgit/debian-astro/packages/mpgrafic.git/tree/regression-test-0.3.7.sh

should presumably allow debian automatic builds to pass "make check".

Is the choice to use the option --allow-run-as-root safe from a general
system security point of view?

My arguments against (i.e. it would be unsafe):

* A newbie might download/extract the debian source as root,
unintentionally modify the fortran source to do some dangerous things
with files and directories, change the -n 1 option to -n 32 for a cluster
of 4 machines each with 8 processors, and then try "make check".
Since the --allow-run-as-root option is enabled in regression-test-0.3.7.sh,
the newbie does some dangerous root operations.

Counterarguments (i.e. it would be safe):

** If the newbie has ignored the recommendation of building
debian packets from source with fakeroot debian/rules binary, then s/he
is already taking superuser risks, and we can't do much to help him/her;

** Introducing system-dangerous operations in fortran is possible, but unlikely
for someone just wishing to make a cosmology calculation;

** If the newbie modifies the -n 1 option, then s/he would see
the much more obvious --allow-run-as-root option and should learn
enough to realise that running as root is unlikely to be needed when
compiling/running the package as an ordiner user.

An alternative I see to enabling --allow-run-as-root would be e.g.

adduser --no-create-home --disabled-password mpgrafic
mpirun -n 1 ... ;
deluser mpgrafic

but that would unnecessarily require build dependence on adduser, and
creating/removing users is itself a security-related issue that
automated checkers (e.g. lintian) might (or should?) be concerned
about.

I'd like to rename mpgrafic-0.3.7.4 to 0.3.8 upstream, along with the
debian versions 0.3.7.4-1 and 0.3.8-1, but first it would be
good to hear some opinions on this.

tracker: https://tracker.debian.org/pkg/mpgrafic

Cheers
Boud

Reply to:

Follow-Ups:
- Re: mpgrafic - mpirun test program as root in automatic build
  - From: James Cowgill <jcowgill@debian.org>

Prev by Date: Bug#844184: RFS: muse-el/3.20+dfsg-1 [ITA]
Next by Date: Re: git-p4 package?
Previous by thread: Re: git-p4 package?
Next by thread: Re: mpgrafic - mpirun test program as root in automatic build
Index(es):
- Date
- Thread