[arch-general] Why is it dangerous to run makepkg as root?
ushi
ushi+arch at honkgong.info
Sat May 17 16:55:35 EDT 2014
Am 17.05.2014 22:08, schrieb Bardur Arantsson:
> On 2014-05-17 21:50, Roland Tapken wrote:
>> Hi Bardur,
>>
>>> Maybe I've missed something reading through this thread, but *assuming*
>>> (yeah, I know) that packages can't run arbitrary scripts at install time
>>> (which I think is a valid assumption for pacman),
>>
>> Is this so? I don't know since I've only scratched the surface of arch until
>> now. But I'm not quite sure about this, since, for example, there must be a
>> way to add new users like http after installing apache. How should this be
>> done without a post-install-script?
>
> I always thought that "this package needs users X,Y and Z" was handled
> via some metadata in the package description, not via scripts per se.
> Maybe I'm wrong on that too.
Such things are handled via install scripts[0], called by pacman when
(un)installing/upgrading packages... and yes, packagers can put
arbitrary code in there. (postfix exmaple[1])
>>
>>> Of course an attacker can still (via the build executables) delete all
>>> the files you actually care about ($HOME) or install trojans into your
>>> $HOME/bin (etc.), but still... If you discover such a comprosmise you'd
>>> "only" have to delete your $HOME and restore from backup[0], whereas a
>>> root compromise would require a full reinstall of everything.
>>
>> Even if your assumption about pacman is correct: Just let the malicious
>> PKGBUILD write a file into /etc/cron.d/, /etc/systemd or something like that
>> and you're doomed. No need for privilege escalation.
>>
>
> Ah, yes. True, of course. I knew I'd missed something! :)
>
> Regards,
>
>
[0] https://wiki.archlinux.org/index.php/PKGBUILD#install
[1]
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/install?h=packages/postfix
Cheers
More information about the arch-general
mailing list