[arch-general] Why is it dangerous to run makepkg as root?
Roland Tapken
ml at lalamuhkuh.de
Sat May 17 08:40:54 EDT 2014
Hi,
I'm using arch for about half a year on a few systems, but every time I
install something from aur I'm asking myself one question:
Why is it considered dangerous to run makepkg as root?
My first guess was that the PKGBUILD usually comes from an untrusted source and
may contain code to attack my system (copy personal data or install a rootkit
or something like that). But on the other hand, this file tells makepkg how to
build the package that will be installed as root, so if the author of the
PKGBUILD has bad purposes he will just put that code into the created package.
The second idea is that this advice should prevent the script from
*accidentally* damage my system. But this could be prevented by using fakeroot
(which is disabled when calling makepkg with --asroot according to the
manpage) or chroot. And actually the proper advice in this case should be to
execute makepkg using a user dedicated for this, as for most arch users it
would be worse if their personal file get deleted as if the system becomes
unbootable.
Regards,
Roland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140517/a9d26627/attachment.asc>
More information about the arch-general
mailing list