{"id":279,"date":"2006-06-16T23:09:14","date_gmt":"2006-06-17T06:09:14","guid":{"rendered":"http:\/\/multimedia.cx\/eggs\/?p=279"},"modified":"2008-01-14T12:55:38","modified_gmt":"2008-01-14T20:55:38","slug":"secure-automated-builds","status":"publish","type":"post","link":"https:\/\/multimedia.cx\/eggs\/secure-automated-builds\/","title":{"rendered":"Secure Automated Builds"},"content":{"rendered":"<p>I have a small, low-power x86 Linux box sitting on the internet. I want to use it to set up an automated build system for <a href=\"http:\/\/ffmpeg.org\/\">FFmpeg<\/a>. To what end? At the outset, I would like to validate that the entire codebase builds, with all extra modules enabled, under different gcc versions and post results to a webpage.<\/p>\n<p>The process outline is pretty straightforward. At periodic intervals:<\/p>\n<ul>\n<li>check out a fresh copy of the FFmpeg SVN tree<\/li>\n<li>&#8216;configure&#8217; with all relevant options and the desired compiler version<\/li>\n<li>&#8216;make&#8217;, log the stdout and stderr text in separate text files<\/li>\n<li>log the status report to a public website<\/li>\n<\/ul>\n<p>Pretty simple so far. Other ideas include compiling with multiple compiler versions, including cross-compilers for multiple platforms; automated regression testing; aggregated results sent to a new mailing list <em>[insert your brainstorm here]<\/em>. I&#8217;m starting small because this particular machine requires almost a half hour to complete just one FFmpeg build.<\/p>\n<p>Here is the big item I&#8217;m concerned about: How to guard against malicious script injections? Not to say that I don&#8217;t trust my FFmpeg brethren but&#8230; I can&#8217;t think of a good way to end that sentence. But think about it: When you run the configuration script and Makefile, you&#8217;re executing free-form shell commands. One of the worser-case scenarios:<\/p>\n<pre>\r\nall:\r\n    find \/ | xargs rm -rf\r\n<\/pre>\n<p>&#8220;But Mike,&#8221; I hear you exclaim, &#8220;as long as you run it as your own unprivileged user vs. root, it won&#8217;t destroy the entire system.&#8221; That&#8217;s terrific news; the easily replaced Linux base system would be safe. So what about running the build process as a heretofore non-existent user (something other than &#8216;nobody&#8217; since a standard Linux box is going to have files owned by him)? Random shell commands could still, for example, read world-readable files and transmit them offsite. What kind of files? I&#8217;m not interested in the fine details, it&#8217;s still a security hole.<\/p>\n<p>So there is the possibility of switching to the unknown user in its own chroot&#8217;d shell. Ideally, this environment would:<\/p>\n<ul>\n<li>prohibit network access (setup process gets the fresh SVN tree before entering chroot shell)<\/li>\n<li>have access to various build tools<\/li>\n<\/ul>\n<p>I guess what I&#8217;m wondering is: Have these problems already been solved? Are there open source projects that already provide good solutions to these problems? Otherwise, I already know it&#8217;s a lot of work to set up such an chroot environment (and I have no idea how to prohibit network access for a particular user).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sound software engineering practice&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[101,3],"tags":[],"class_list":["post-279","post","type-post","status-publish","format-standard","hentry","category-fate-server","category-open-source-multimedia"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts\/279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/comments?post=279"}],"version-history":[{"count":0,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts\/279\/revisions"}],"wp:attachment":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/media?parent=279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/categories?post=279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/tags?post=279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}