[arch-general] Why is it dangerous to run makepkg as root?
Karol Blazewicz
karol.blazewicz at gmail.com
Sat May 17 09:37:05 EDT 2014
On Sat, May 17, 2014 at 2:40 PM, Roland Tapken <ml at lalamuhkuh.de> wrote:
> Hi,
>
> I'm using arch for about half a year on a few systems, but every time I
> install something from aur I'm asking myself one question:
>
> Why is it considered dangerous to run makepkg as root?
>
> My first guess was that the PKGBUILD usually comes from an untrusted source and
> may contain code to attack my system (copy personal data or install a rootkit
> or something like that). But on the other hand, this file tells makepkg how to
> build the package that will be installed as root, so if the author of the
> PKGBUILD has bad purposes he will just put that code into the created package.
>
> The second idea is that this advice should prevent the script from
> *accidentally* damage my system. But this could be prevented by using fakeroot
> (which is disabled when calling makepkg with --asroot according to the
> manpage) or chroot. And actually the proper advice in this case should be to
> execute makepkg using a user dedicated for this, as for most arch users it
> would be worse if their personal file get deleted as if the system becomes
> unbootable.
>
> Regards,
>
> Roland
'--asroot' option has recently been removed.
https://projects.archlinux.org/pacman.git/commit/?id=61ba5c961e4a3536c4bbf41edb348987a9993fdb
More information about the arch-general
mailing list