[arch-general] Why is it dangerous to run makepkg as root?
spam at scientician.net
Sat May 17 15:12:41 EDT 2014
On 2014-05-17 14:40, Roland Tapken wrote:
> I'm using arch for about half a year on a few systems, but every time I
> install something from aur I'm asking myself one question:
> Why is it considered dangerous to run makepkg as root?
> My first guess was that the PKGBUILD usually comes from an untrusted source and
> may contain code to attack my system (copy personal data or install a rootkit
> or something like that). But on the other hand, this file tells makepkg how to
> build the package that will be installed as root, so if the author of the
> PKGBUILD has bad purposes he will just put that code into the created package.
Maybe I've missed something reading through this thread, but *assuming*
(yeah, I know) that packages can't run arbitrary scripts at install time
(which I think is a valid assumption for pacman), there is a slight
theoretical advantage to the current behavior in that if you never run
$NEW_PACKAGE *as root* then your system cannot be compromised quite as
extensively as if you had run PKGBUILD as root (which would allow
completely arbitrary commands as root, either through a malicious
PKGBUILD or other attack channels such as an exploitable gcc, etc.).
Of course an attacker can still (via the build executables) delete all
the files you actually care about ($HOME) or install trojans into your
$HOME/bin (etc.), but still... If you discover such a comprosmise you'd
"only" have to delete your $HOME and restore from backup, whereas a
root compromise would require a full reinstall of everything.
 Actually, there have been quite a few "local user -> root" exploits
of the Linux kernel, so really you should wipe everything and reinstall
from scratch anyway. Remember, I'm only speaking theoretically in the above.
More information about the arch-general