[arch-general] Why is it dangerous to run makepkg as root?

Patrick Burroughs (Celti) celticmadman at gmail.com
Sat May 17 18:17:06 EDT 2014

On Sat, May 17, 2014 at 5:40 AM, Roland Tapken <ml at lalamuhkuh.de> wrote:
> My first guess was that the PKGBUILD usually comes from an untrusted source and
> may contain code to attack my system (copy personal data or install a rootkit
> or something like that).

I think that the point isn't that you're not supposed to run makepkg
as root to protect against *malicious* packages, but rather to protect
aganst *badly written* ones. There are of course many ways that a
malicious package could get around that to hose your system, but a
simple badly written package that spews files directly into /usr
instead of into $pkgdir is easily thwarted by not having the
permissions necessary to do so.


More information about the arch-general mailing list