[arch-general] makepkg security
Alessandro Doro
ordo.ad at gmail.com
Thu Jul 9 20:25:36 EDT 2009
On Thu, Jul 09, 2009 at 03:00:49PM -0500, Aaron Griffin wrote:
> On Thu, Jul 9, 2009 at 1:55 PM, Square<toolman33 at gmail.com> wrote:
> > I noticed this in my typical routine when installing AUR packages.
> > 'makepkg -sic' is the typical command I use, and most of the time if
> > dependencies are installed before building sudo doesn't time out
> > before the install - meaning I do not have to re-enter a password
> > for installing the package itself. This leaves a window where any
> > time during the build process a command could have been executed
> > with sudo and it would have went through without my knowledge.
> >
> > I do realize that it should be up to the user to validate all of the
> > content, i.e. make sure everything is 'clean', but I thought I might
> > bring it up for discussion.
>
> This is up to you to control. You can change the timeout in
> /etc/sudoers by using the "password_timeout" (or is it
> "passwd_timeout"?) option.
A simple workaround could be a "sudo -k" after each sudo invocation in
the makepkg script.
More information about the arch-general
mailing list