[pacman-dev] sudo usage in makepkg - Was: makepkg security
Allan McRae
allan at archlinux.org
Fri Jul 10 12:11:38 EDT 2009
Loui Chang wrote:
> On Fri 10 Jul 2009 17:25 +0200, Thomas Bächler wrote:
>
>> The original complaint was that when using makepkg -sic, the sudo
>> password is cached after dependency installation and malicious sudo
>> commands might be executed during build() as the password is cached.
>>
>> My opinion on this is that we should not encourage people to use
>> sudo, Aaron suggested to move it here for further discussion. What do
>> you think?
>>
>
> Actually I think syncdeps and install should be removed from makepkg,
> just as builddeps was. Then sudo can be completely removed from makepkg.
> People may complain though.
>
And I would be one of them as removing syncdeps would make building in a
clean chroot an absolute pain in the arse.
Anyway, as far as removing sudo usage goes... I haven't thought much
about this, but my initial opinion is that people who are concerned
about sudo can set it up they way they like. e.g. no password caching
and use of root password, which would make sudo essentially an alias for
"su -c".
So I really think this is a non issue. If someone does not like sudo,
do not install it and use "pacman -S --asdep" yourself to install the
needed deps. Makepkg gives you the option, but no-one is forcing you to
use it.
I would consider a patch that allows the user to configure whether they
use "sudo" or "su -c".
Allan
More information about the pacman-dev
mailing list