[arch-general] Why is it dangerous to run makepkg as root?

Bardur Arantsson spam at scientician.net
Sat May 17 17:42:11 EDT 2014

On 2014-05-17 22:55, ushi wrote:
> Am 17.05.2014 22:08, schrieb Bardur Arantsson:
>> On 2014-05-17 21:50, Roland Tapken wrote:
>>> Hi Bardur,
>>>> Maybe I've missed something reading through this thread, but *assuming*
>>>> (yeah, I know) that packages can't run arbitrary scripts at install time
>>>> (which I think is a valid assumption for pacman),
>>> Is this so? I don't know since I've only scratched the surface of arch until 
>>> now. But I'm not quite sure about this, since, for example, there must be a 
>>> way to add new users like http after installing apache. How should this be 
>>> done without a post-install-script?
>> I always thought that "this package needs users X,Y and Z" was handled
>> via some metadata in the package description, not via scripts per se.
>> Maybe I'm wrong on that too.
> Such things are handled via install scripts[0], called by pacman when
> (un)installing/upgrading packages... and yes, packagers can put
> arbitrary code in there. (postfix exmaple[1])

I see. Good to know.

The premise for my whole hypothetical was thus dismissed and I hang my
head in shame ;).


More information about the arch-general mailing list