[arch-general] Why is it dangerous to run makepkg as root?

[Bardur Arantsson]

On 2014-05-17 14:40, Roland Tapken wrote:
> Hi,
> 
> I'm using arch for about half a year on a few systems, but every time I 
> install something from aur I'm asking myself one question:
> 
> Why is it considered dangerous to run makepkg as root?
> 
> My first guess was that the PKGBUILD usually comes from an untrusted source and 
> may contain code to attack my system (copy personal data or install a rootkit 
> or something like that). But on the other hand, this file tells makepkg how to 
> build the package that will be installed as root, so if the author of the 
> PKGBUILD has bad purposes he will just put that code into the created package.
> 

Maybe I've missed something reading through this thread, but *assuming*
(yeah, I know) that packages can't run arbitrary scripts at install time
(which I think is a valid assumption for pacman), there is a slight
theoretical advantage to the current behavior in that if you never run
$NEW_PACKAGE *as root* then your system cannot be compromised quite as
extensively as if you had run PKGBUILD as root (which would allow
completely arbitrary commands as root, either through a malicious
PKGBUILD or other attack channels such as an exploitable gcc, etc.).

Of course an attacker can still (via the build executables) delete all
the files you actually care about ($HOME) or install trojans into your
$HOME/bin (etc.), but still... If you discover such a comprosmise you'd
"only" have to delete your $HOME and restore from backup[0], whereas a
root compromise would require a full reinstall of everything.

Regards,

/b

[0] Actually, there have been quite a few "local user -> root" exploits
of the Linux kernel, so really you should wipe everything and reinstall
from scratch anyway. Remember, I'm only speaking theoretically in the above.