doing a test build of samba

Andrew Bartlett abartlet at samba.org
Mon Apr 4 23:03:11 UTC 2022 

On Tue, 2022-04-05 at 01:52 +0300, Michael Tokarev wrote:
> 05.04.2022 01:31, Andrew Bartlett wrote:
> [..]
> > Samba really doesn't want to make security support promises for
> > code
> > compiled with --enable-developer or --enable-selftest.  There are
> > other
> > #ifdef things, like fault injection (root-only I think) and in the
> > past
> > we would honour more environment variables for unsafe things.
> 
> Yeah, fault injection and sleep in smbcontrol, I mentioned that.
> 
> Now when I think about this, maybe it is not just "root only" it
> _might_
> be more than that - say, different apparmor profiles or selinux
> contexts
> or containers or whatnot, but you gain control over the socket and
> you can
> do evil things. Probably still a moot point though, since other stuff
> is
> possible already. But it is still something to think about.
> 
> Overall things definitely does not look as bad as you describe.
> To *me*, - sure, I know right to nothing about it.  After all, maybe
> one day there's some new code guarded by WITH_NTVFS_FILESERVER or
> WITH_SELFTESTS by someone who didn't think some weird distribution
> enables this on production...

That is more my concern.  

> > We try not do make it horribly unsafe, but I would be disturbed if
> > a
> > major packager distributed binaries compiled that way.
> 
> So I'm back to my other question, - is it possible to build it in a
> different directory, not in ./bin[/default]/, so there's no need to
> mess up with directory renaming?

No.  This is essentially another variant on the request for an 'out of
tree build' which some folks ask for from time to time, which we don't
support (a pile of subtle but painful gotchas). 

> There is --with-selftest-prefix= but not --with-build-prefix.
> 
> And there is, apparently, this:
> 
> wscript:out = 'bin'
> ctdb/wscript:out = 'bin'
> lib/ldb/wscript:out = 'bin'
> ...
> 
> So it looks like the answer is "no" :)
> 
> I just dislike the hacking around renames or duplicating the
> source tree for different builds.. :)

Sorry.  Duplicating it sounds the most safe.

Andrew,

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba-technical mailing list