[arch-general] Why is it dangerous to run makepkg as root?

Roland Tapken ml at lalamuhkuh.de
Sat May 17 08:40:54 EDT 2014


I'm using arch for about half a year on a few systems, but every time I 
install something from aur I'm asking myself one question:

Why is it considered dangerous to run makepkg as root?

My first guess was that the PKGBUILD usually comes from an untrusted source and 
may contain code to attack my system (copy personal data or install a rootkit 
or something like that). But on the other hand, this file tells makepkg how to 
build the package that will be installed as root, so if the author of the 
PKGBUILD has bad purposes he will just put that code into the created package.

The second idea is that this advice should prevent the script from 
*accidentally* damage my system. But this could be prevented by using fakeroot 
(which is disabled when calling makepkg with --asroot according  to the 
manpage) or chroot. And actually the proper advice in this case should be to 
execute makepkg using a user dedicated for this, as for most arch users it 
would be worse if their personal file get deleted as if the system becomes 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140517/a9d26627/attachment.asc>

More information about the arch-general mailing list