[engineering.redhat.com #319333] Re: [Security] System job to deploy rpms

Eyal Edri eedri at redhat.com
Sun Oct 12 06:32:14 UTC 2014 


----- Original Message -----
> From: "Sandro Bonazzola" <sbonazzo at redhat.com>
> To: secalert at redhat.com
> Cc: security at ovirt.org, infra at ovirt.org
> Sent: Thursday, October 9, 2014 9:09:20 AM
> Subject: Re: [engineering.redhat.com #319333] Re: [Security] System job to	deploy rpms
> 
> Il 08/10/2014 18:18, Red Hat Product Security ha scritto:
> > On Wed Oct 08 08:35:15 2014, sbonazzo at redhat.com wrote:
> >> Il 08/10/2014 12:02, Ohad Basan ha scritto:
> >>> Hello everyone.
> >>>
> >>> I've created a small job (not yet enabled)
> >>> that gets an rpm and then deploys it to the static repo at
> >> resources.ovirt.org
> >>> for this I've sent this patch http://gerrit.ovirt.org/#/c/33863/
> >>> that will add the "resources" user. it will have permissions only
> >> for the static rpms directory and will scp the files to there.
> >>> is it acceptable by everybody security-wise?
> >>>
> >>
> >> Adding security list to the loop.
> > 
> > Hi, thanks for this.  I'm a bit confused though.  Is this pertaining to the
> > infrastructure for the oVirt project, or is this code going into the oVirt
> > code itself that is then consumed by downstream users?  I only ask because
> > of the reference to resources.ovirt.org so I'm unsure whether this is a
> > code question or an infrastructure question.
> > 
> > Can you please advise?
> 
> It's infrastructure question

let me try to clarify.
today our continuous delivery process is async partially:
 - jenkins.ovirt.org builds and publish the rpms into resources.ovirt.org under jenkins home (unprivileged user).
 - a cron job scans the target dir and checks if new rpms are there (via flag used by the script) and updates the repos accordingly.

the idea behind this is not to allow direct access from jenkins to resources.ovirt.org via ssh.

now what ohad is suggesting is to change the process and ALLOW direct access to certain repositories under resources.ovirt.org, with the following changes:
 - new user will be used - resources
 - the user will have limited sudo access only to read/write to the relevant repository (static repos)
 - no cron job will run async to update it.

so the question is are we comfortable with this change? is it safe or has the same security level as the current async one? 
if its safe we might consider changing the original flow as well to be synced and not use a cron job.

your input is appreciated,

Eyal.

> 
> > 
> 
> 
> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboration.
> See how it works at redhat.com
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>

More information about the Infra mailing list