[arch-general] makepkg security
Thomas Bächler
thomas at archlinux.org
Thu Jul 9 16:37:29 EDT 2009
Aaron Griffin schrieb:
> On Thu, Jul 9, 2009 at 1:55 PM, Square<toolman33 at gmail.com> wrote:
>> I noticed this in my typical routine when installing AUR packages. 'makepkg -sic' is the typical command I use, and most of the time if dependencies are installed before building sudo doesn't time out before the install - meaning I do not have to re-enter a password for installing the package itself. This leaves a window where any time during the build process a command could have been executed with sudo and it would have went through without my knowledge.
>>
>> I do realize that it should be up to the user to validate all of the
>> content, i.e. make sure everything is 'clean', but I thought I might
>> bring it up for discussion.
>
> This is up to you to control. You can change the timeout in
> /etc/sudoers by using the "password_timeout" (or is it
> "passwd_timeout"?) option.
I agree. The question is not about makepkg security, but about sudo
security. And frankly, sudo is a security desaster in its default
configuration.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://www.archlinux.org/pipermail/arch-general/attachments/20090709/b0330c31/attachment.pgp>
More information about the arch-general
mailing list