From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6540161972509343744
X-Received: by 10.28.247.22 with SMTP id v22mr212069wmh.23.1523429893314;
        Tue, 10 Apr 2018 23:58:13 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 10.28.245.12 with SMTP id t12ls172489wmh.2.gmail; Tue, 10 Apr
 2018 23:58:12 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48umAW9Ehzzd0Uyk2Ikw7lz/E4sPLphyuOw677YeUUtpDfih3RCo2F6Rc7gJWf3ULsJMZhv
X-Received: by 10.28.122.24 with SMTP id v24mr198773wmc.13.1523429892747;
        Tue, 10 Apr 2018 23:58:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523429892; cv=none;
        d=google.com; s=arc-20160816;
        b=QWeXtUyUSX4zeqH/82x4mQxplg6oeEYvyjjghH7J2qf3CZJGtpmqPsuCWYbzTLck6D
         2MkLfPIp25N2liBE1hk9qdmnLYfj7EKw/Gw2TRpTaWXqe3pEkdaLNujdOd7HHGR08DE7
         YsorbNPnOnj226DSdNeYE6Agxu+UYV/72aB4lgBeN95BiQiKZLUaRneHG79QanmyXran
         EemSTwxRAjr8aXP9LVgN3qfqpBtTbarU6BJ1erzob+3f5bWvWc5zmdfU+ywz7D7AAxvb
         ZjDCpBgcG3FnSvi+0lXjlG77sLVKYchkiHgXxHlPaXfwrjcI4RHQH2CFhZWlI6uhX5Dv
         kfFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:openpgp:from:references:to:subject
         :arc-authentication-results;
        bh=Y1Gj2y8QG7Y7hWzByXKq32BJmSmDk5J6rfadIEceWaU=;
        b=nRxV90nEsYnxsFETCuOvuMFWDgfyC+umSFQxuwTFiSMV4tbXy6VJVe1437alRXnKPm
         eozbGTI0WD4va4mxGddyb63i4j+fqpJt1DwgdAxWNWfB+uKq3qJCLt2/wrRL+FaOHyD5
         G4NDpDKL0UtVtO0dJmcNdQ1m4TwoVBzLLaQPojI6RXXbGrao6nGX/1QJXuDjVKN2vdCG
         +9bwCJs/G4rHRhPmiQpcwoUvRo/BIjtT71QbaHIAdaUJxHRSv5Q7IPi79Axr7uhJnCms
         HllZy6lwcefhqjCEXFwL0V0wK6RNKSTUpbUNlLgWcPLxDZhnZDklEpGBpfE9uKG3QCQw
         4ilQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28])
        by gmr-mx.google.com with ESMTPS id v13si22329wmc.2.2018.04.10.23.58.12
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 10 Apr 2018 23:58:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14])
	by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w3B6wCPu020932
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <isar-users@googlegroups.com>; Wed, 11 Apr 2018 08:58:12 +0200
Received: from [167.87.40.92] ([167.87.40.92])
	by mail3.siemens.de (8.15.2/8.15.2) with ESMTP id w3B6wBY9018052
	for <isar-users@googlegroups.com>; Wed, 11 Apr 2018 08:58:12 +0200
Subject: Re: [PATCH v5 0/5] Debootstrap integration
To: isar-users@googlegroups.com
References: <20180403100802.30710-1-claudius.heine.ext@siemens.com>
 <20180404203434.GC3164@yssyq.radix50.net>
 <df5af38d-b01f-f85f-f77e-2cf84fc9f2af@siemens.com>
 <e2030c2b-11d3-b63b-3be9-8575bb742ff5@siemens.com>
 <20180411062833.GD4762@yssyq.radix50.net>
From: Jan Kiszka <jan.kiszka@siemens.com>
Openpgp: preference=signencrypt
Message-ID: <0c0191c5-bb35-4654-6412-9a1e93e1590f@siemens.com>
Date: Wed, 11 Apr 2018 08:58:11 +0200
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12)
 Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
In-Reply-To: <20180411062833.GD4762@yssyq.radix50.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TUID: yElEkwGwfQGv

On 2018-04-11 08:28, Baurzhan Ismagulov wrote:
> On Thu, Apr 05, 2018 at 11:16:43AM +0200, Jan Kiszka wrote:
>> I would call this a "safety" concern - building images via Isar is not
>> secure in any way as long as we require root permissions.
> 
> However we call it (directory traversal is commonly classified as a security
> issue as opposed to safety as in health injury), it doesn't mean we should

safety: measures against accidental errors, hardware failures etc.
security: measures against malicious attackers (intentional errors)

Isar has currently no own means for the latter due to requiring root
privileges.

> easily add more of them just because the existing code already isn't perfect.
> I've raised the issue to understand the implications, consider advantages and
> disadvantages, and possibly determine TODOs if we end up with a trade-off.
> 
> For example, for this specific case, does upstream bitbake and / or OE check
> whether cleandirs are within the build directory?

That is a good question - though upstream does not have to run as root,
thus can be confined more easily.

Jan