[arch-general] makepkg security

Thomas Bächler thomas at archlinux.org
Fri Jul 10 04:01:16 EDT 2009

Aaron Griffin schrieb:
>> I agree. The question is not about makepkg security, but about sudo
>> security. And frankly, sudo is a security desaster in its default
>> configuration.
> Any suggestions for changing / shipping a better default config file?
> I know little about the security implications of this, but I think we
> should ship a decent default if possible.

Our policy is usually to ship whatever upstream ships. IMO, a good 
default would be to set sudo to require the root password (not the user 
password) and not cache any passwords at all.

Also, I think instead of using sudo in makepkg, we should use su by 
default (with an option to enable sudo). su always has a good default 
configuration requiring the root password (it's also possible to set it 
to allow password-less su in the pam configuration, but everyone who 
does that is crazy anyway).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://www.archlinux.org/pipermail/arch-general/attachments/20090710/e78a7fd0/attachment.pgp>

More information about the arch-general mailing list