towards ncm-ncd in -T

[stdweird]

currently, ncm-ncd has -t shebang, meaning any taint errors will be reported as warning, but nothing fatal.
there are a few paths towards running ncm-ncd in -T

• via ncm-cdispd config file, and run ncm-ncd as perl -Tw /usr/sbin/ncm-ncd is some config is set
• use something like Taint::Runtime and
  • enable taint via a config option in ncm-ncd.conf
  • enable/disable tainting per component (and in ncm-ncd itself in shebang), similar to NoActionSupported

this also requires that the unit tests for the components run in -T

[ned21]

@ajf8 can you check how many of our internal components this would break please?

[stdweird]

most our failures were related to LC chown, we could switch to CAF::Path and untaint there (but CAF::Path currently does not untaint)

[piojo-zz]

Discussion from the workshop: the profile should be untainted automatically. No amount of untainting will protect us from a profile that setuids /bin/bash. If a profile is hostile it's game over.

However, components should untaint inputs from the file system or from subprocesses.

Workshop seems to like the idea of Taint::Runtime, but it is not available on EL5 (only on rpmforge).

The first step could be to use Test::Taint during tests. If this is the path to go, please remember that the Test::Quattor modules should taint their parameters (i.e, mocked command outputs must be tainted).

[piojo-zz]

Morgan Stanley would appreciate if Taint::Runtime didn't become a dependency to be installed on all their hosts.

Something like

if ($do_taint_that_comes_from_some_config) {
    eval "use Taint::Runtime;";
}

somewhere.

[jrha]

Discussed at workshop, does not look like it will happen for 16.10, will leave @stdweird to decide if he wants to set a new milestone.