Re: Net::Ping and sudo

On Wed, Nov 02, 2016 at 12:37:07PM +0000, Dave Mitchell wrote:
> A recent pull into blead of Net::Ping from CPAN (which is under dist/, but
> Reini seems to be pushing new versions to CPAN) has added code to
> t/500_ping_icmp.t that says: "if not running as root, try re-executing the
> script under sudo, but quietly skip if sudo doesn't succeed".
> 
> This has two issues: firstly, I now get an angry local email when running
> 'make test':
> 
>     To: root@iabyn.com
>     Subject: *** SECURITY information for robin ***
>     Message-Id: <20161102122201.16A7B240D0E@iabyn.com>
> 
>     robin : Nov  2 12:22:01 : davem : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/da
>     vem/perl5/git/bleed/dist/Net-Ping ; USER=root ; COMMAND=/home/davem/perl5/git/bl
>     eed/perl -I../../lib t/500_ping_icmp.t
> 
> which is annoying.
> 
> Secondly, I think people would find it unexpected for a perl test script
> to be run as root when 'make test' has been invoked as a normal user.  To
> a certain extent you could say that people using an account set up so that
> it can sudo to root and run any command without needing a password,
> deserve anything they get anyway.
> 
> In either case, I think we should remove the sudo from this test script.

I strongly agree on both counts.  Consider too the case where the
person running 'make test' is *not* also postmaster for root, but
instead has to now explain to the system administrator why those angry
messages are showing up in his/her mailbox.

Also, in the default configuration (at least on Debian) sudo will
cache credentials for 15 minutes, so it might not need a password.
I regard it as very impolite for the perl test suite to attempt to
invoke sudo on my behalf without giant warning flags going up first.

-- 
    Andy Dougherty		doughera@lafayette.edu

• Net::Ping and sudo by Dave Mitchell
• Re: Net::Ping and sudo by Andy Dougherty
• Re: Net::Ping and sudo by Leon Timmermans
• Re: Net::Ping and sudo by Dave Mitchell
• Re: Net::Ping and sudo by H.Merijn Brand