[arch-general] makepkg running as root

[Colin Pitrat]

Here is a proof that I was right to believe. On Ubuntu:
http://www.youtube.com/watch?v=D4fzInlyYQo

Regards,
Colin Pitrat




Thomas Bächler <thomas at archlinux.org> 
To
General Discusson about Arch Linux <arch-general at archlinux.org>
cc

Subject
Re: [arch-general] makepkg running as root





Thomas Bächler <thomas at archlinux.org> 
Please respond to : General Discusson about Arch Linux 
<arch-general at archlinux.org>
Sent by: arch-general-bounces at archlinux.org 
22/01/2008 11:06


Jan de Groot schrieb:
>> Just think of what this would do as root in a PKGBUILD:
>>
>> build() {
>>   echo "You've been pwned!!!"
>>   rm -rf /
>> }
>>
> 
> Be sure to check .install files too. They can also contain rm -rf / in 
post_install, those are executed by root when you install the package ;)

You guys DO know that 'rm -rf /' is a harmless command that simply exits
with an error message? You should use 'rm -rf /*' to kill someone's 
system.

However, the problem with makepkg as root can be more subtle: If a
broken PKGBUILD or Makefile installs files into / instead of
${startdir}/pkg, files will be missing in your package. However, you
will not notice it, as the files are present in your system, and there
won't be any error messages during the build process.

I met a user on IRC once who claimed his PKGBUILD and the resulting
package were fine, but the package was indeed empty, instead makepkg
installed all files directly into his system - these files were now
unknown to pacman.

Worst case (apart from a malicious PKGBUILD) is that you overwrite
critical system configuration files or libraries and render your system
unusable.

[attachment "signature.asc" deleted by Colin Pitrat/NCE/AMADEUS] 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://archlinux.org/pipermail/arch-general/attachments/20080122/3470161f/attachment.htm>