[arch-general] First Time Using AUR

Wed Apr 14 15:07:35 EDT 2010

On Wed, Apr 14, 2010 at 10:53:45AM -0600, Gary Wright wrote:
> On Wed, 2010-04-14 at 08:16 -0500, Burlynn Corlew Jr (velcroshooz)
> wrote:
> > On Wed, Apr 14, 2010 at 8:12 AM, Carlos Mennens <carloswill at gmail.com>wrote:
> > 
> > > I am getting ready to use my newly built Arch Linux system for the 1st
> > > time and use AUR and read the Wiki but I have a question that I am not
> > > clear on:
> > >
> > > Next choose an appropriate build directory. A build directory is
> > > simply a directory where the package will be made or "built" and can
> > > be any directory. Examples of commonly used directories are:
> > >
> > > ~/builds
> > >
> > > Now when I create the "~/builds" directory, does it matter if I do
> > > this in a regular user's home directory or in 'roots'? It is not very
> > > clear and I don't want to break anything or improperly build a package
> > > from AUR.
> > >
> > 
> > I dont know if your using an aur helper or using makepkg alone, but i would
> > use ~/builds in a users' directory. running makepkg as root is bad
> > practice.
> 
> I don't see that anybody has touched on this, but the reason that
> running makepkg as a regular user is best is because AUR pkgbuilds are
> not checked for malicious code before being made available for download.
> There is a great community of TUs and AUR users that will usually spot
> bad pkgbuilds before anyone is affected, but it is ultimately the
> end-user's obligation to check the pkgbuild/install scripts for bad
> code. Having the build() func execute rm -rf / doesn't do quite as much
> when you're a normal user.  Root, however, can destroy a system that
> way. 

I disagree: this is not an adequate justification. Why not? Because
suppose the package gets built ok. What are you going to do then?
Install it with root privileges---which will lead to the install script's
being run with root privileges, or alternatively to any binary the
packager wants being installed setuid and owned by root. Your only
protection against this is to trust the source (and the url from which
it's downloaded) and trust/review the PKGBUILD and install scripts. You
might as well do that before running makepkg, as after running makepkg
but before running "sudo pacman -U newpackage.pkg.tar.gz".

That's your only protection against anything malicious.

The advantage of not building as root is in case something is broken in
the PKGBUILD or Makefile, this puts up some additional protective
barriers. A malicious maintainer would only need a bit of obfuscation
and cleverness to bury his payload in the parts of the process that are
run as root.

Anyway, that's how I understand it. I've broken a few PKGBUILDs and
Makefiles myself. For instance, you want to be sure your "make install"
targets respect DESTDIR. If you leave that out, and run make install as
a normal user, the step will fail and you'll just get an error about not
having privileges (yet) to write to /usr/bin/whatever. If you run make
install as root, though, the files will get written to
/usr/bin/whatever, possibly overwriting what's there, and won't be tar'd
up when $pkgdir is compressed. This is the kind of flimsy but helpful
protection you get from running makepkg as a normal user.

-- 
Jim Pryor
profjim at jimpryor.net