Open livingsilver94 opened 2 months ago
One way to make this nice on Serpent is to have a trigger that auto-adds users who are in wheel and who have a GID >= 1000 to the cache dir permissions (I think we're looking at extended ACLs for this).
The idea could be to run a boulder command that does this for the relevant users; then we use the same code path whether we're on serpent or something else; it's just that on serpent, we have a moss trigger manage the call.
I have some questions:
sudo
and wheel
to the new builder group?$HOME
by default.
root
is obviously risky. Building packages inherently allows for any code execution. While it's true that boulder runs the build in its own container, disablingroot
is another security improvement to prevent exploits I can't even predict at the moment. Plus, by just considering an unprivileged user, us developers won't have to think about where configuration files should be read from. Less complexity and more security. Win-win, in my opinion.@ermo raised the concern that unprivileged users may not access a shared directory for compilation cache. Fortunately, ccache documents how to create a shared directory across users in a specific group (the
builders
group, for example). sccache can access a specific directory too, so we can reuse the same users+directory setup.Demo
To demonstrate a shared directory works across unprivileged users, please find below a script that leverages
toolbx
to create a shared build environment. Note thattoolbx
is not required for such setup, I'm just using it to create a demo environment without cluttering my/your system. Please copy and paste the script line by line; a global copy-paste won't work because we're entering and exiting containers and subshells.