Re: [engineering.redhat.com #319333] Re: [Security] System job to deploy rpms
----- Original Message -----
From: "Sandro Bonazzola" <sbonazzo(a)redhat.com>
To: secalert(a)redhat.com
Cc: security(a)ovirt.org, infra(a)ovirt.org
Sent: Thursday, October 9, 2014 9:09:20 AM
Subject: Re: [engineering.redhat.com #319333] Re: [Security] System job to deploy rpms
Il 08/10/2014 18:18, Red Hat Product Security ha scritto:
> On Wed Oct 08 08:35:15 2014, sbonazzo(a)redhat.com wrote:
>> Il 08/10/2014 12:02, Ohad Basan ha scritto:
>>> Hello everyone.
>>>
>>> I've created a small job (not yet enabled)
>>> that gets an rpm and then deploys it to the static repo at
>> resources.ovirt.org
>>> for this I've sent this patch http://gerrit.ovirt.org/#/c/33863/
>>> that will add the "resources" user. it will have permissions only
>> for the static rpms directory and will scp the files to there.
>>> is it acceptable by everybody security-wise?
>>>
>>
>> Adding security list to the loop.
>
> Hi, thanks for this. I'm a bit confused though. Is this pertaining to the
> infrastructure for the oVirt project, or is this code going into the oVirt
> code itself that is then consumed by downstream users? I only ask because
> of the reference to resources.ovirt.org so I'm unsure whether this is a
> code question or an infrastructure question.
>
> Can you please advise?
It's infrastructure question
let me try to clarify.
today our continuous delivery process is async partially:
- jenkins.ovirt.org builds and publish the rpms into resources.ovirt.org under jenkins
home (unprivileged user).
- a cron job scans the target dir and checks if new rpms are there (via flag used by the
script) and updates the repos accordingly.
the idea behind this is not to allow direct access from jenkins to resources.ovirt.org via
ssh.
now what ohad is suggesting is to change the process and ALLOW direct access to certain
repositories under resources.ovirt.org, with the following changes:
- new user will be used - resources
- the user will have limited sudo access only to read/write to the relevant repository
(static repos)
- no cron job will run async to update it.
so the question is are we comfortable with this change? is it safe or has the same
security level as the current async one?
if its safe we might consider changing the original flow as well to be synced and not use
a cron job.
your input is appreciated,
Eyal.
>
--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra