[arch-general] makepkg running as root

[Sentinel]

Hi,

'rm -rf /' works on debian and debian like systems. I tried it in a 
virtual machine. I used Debian for 4 years before I moved to arch two 
weeks ago.
I find the fakeroot a good security wall. A always use it.

Tom Kanocz, Slovakia

Colin Pitrat wrote:
>
> > You guys DO know that 'rm -rf /' is a harmless command that simply exits
> > with an error message? You should use 'rm -rf /*' to kill someone's 
> system.
>
> You say that hoping that some of us will try 'rm -rf /' ?
>
> By the way, I fear 'rm -rf ~' as standard user as much as I fear 'rm 
> -rf /' as root (call me believer, I'm pretty sure it works on some 
> systems).
>
> Regards,
> Colin Pitrat
>
>
>
> Jan de Groot schrieb:
> >> Just think of what this would do as root in a PKGBUILD:
> >>
> >> build() {
> >>   echo "You've been pwned!!!"
> >>   rm -rf /
> >> }
> >>
> >
> > Be sure to check .install files too. They can also contain rm -rf / 
> in post_install, those are executed by root when you install the 
> package ;)
>
>
>
> However, the problem with makepkg as root can be more subtle: If a
> broken PKGBUILD or Makefile installs files into / instead of
> ${startdir}/pkg, files will be missing in your package. However, you
> will not notice it, as the files are present in your system, and there
> won't be any error messages during the build process.
>
> I met a user on IRC once who claimed his PKGBUILD and the resulting
> package were fine, but the package was indeed empty, instead makepkg
> installed all files directly into his system - these files were now
> unknown to pacman.
>
> Worst case (apart from a malicious PKGBUILD) is that you overwrite
> critical system configuration files or libraries and render your system
> unusable.
>
> [attachment "signature.asc" deleted by Colin Pitrat/NCE/AMADEUS]