On 2014-05-17 14:40, Roland Tapken wrote:
Hi,
I'm using arch for about half a year on a few systems, but every time I install something from aur I'm asking myself one question:
Why is it considered dangerous to run makepkg as root?
My first guess was that the PKGBUILD usually comes from an untrusted source and may contain code to attack my system (copy personal data or install a rootkit or something like that). But on the other hand, this file tells makepkg how to build the package that will be installed as root, so if the author of the PKGBUILD has bad purposes he will just put that code into the created package.
Maybe I've missed something reading through this thread, but *assuming* (yeah, I know) that packages can't run arbitrary scripts at install time (which I think is a valid assumption for pacman), there is a slight theoretical advantage to the current behavior in that if you never run $NEW_PACKAGE *as root* then your system cannot be compromised quite as extensively as if you had run PKGBUILD as root (which would allow completely arbitrary commands as root, either through a malicious PKGBUILD or other attack channels such as an exploitable gcc, etc.). Of course an attacker can still (via the build executables) delete all the files you actually care about ($HOME) or install trojans into your $HOME/bin (etc.), but still... If you discover such a comprosmise you'd "only" have to delete your $HOME and restore from backup[0], whereas a root compromise would require a full reinstall of everything. Regards, /b [0] Actually, there have been quite a few "local user -> root" exploits of the Linux kernel, so really you should wipe everything and reinstall from scratch anyway. Remember, I'm only speaking theoretically in the above.