[arch-general] makepkg security

James Rayner iphitus at iphitus.org
Thu Jul 9 22:11:19 EDT 2009

On Fri, Jul 10, 2009 at 11:39 AM, Alessandro Doro<ordo.ad at gmail.com> wrote:
> ¹ Really theoretical, assuming that the user:
>  · read the PKGBUILD,
>  · trust the package source.

Yeah... I think I'd be somewhat suspicious if I saw a PKGBUILD calling sudo.

sudo -k wouldn't be very effective either. What if I run sudo
elsewhere on my system during the build process, the hole is open

As long as you're running an untrusted script on your system, there's
infinitely many other possibilities. An rm -rf ~/* is pretty damaging
and doesn't need sudo.

Allesandro is spot on.


More information about the arch-general mailing list