[pacman-dev] sudo usage in makepkg - Was: makepkg security
Dan McGee
dpmcgee at gmail.com
Fri Jul 10 20:31:12 EDT 2009
On Fri, Jul 10, 2009 at 11:11 AM, Allan McRae<allan at archlinux.org> wrote:
> Loui Chang wrote:
>>
>> On Fri 10 Jul 2009 17:25 +0200, Thomas Bächler wrote:
>>
>>>
>>> The original complaint was that when using makepkg -sic, the sudo
>>> password is cached after dependency installation and malicious sudo
>>> commands might be executed during build() as the password is cached.
>>>
>>> My opinion on this is that we should not encourage people to use
>>> sudo, Aaron suggested to move it here for further discussion. What do
>>> you think?
>>>
>>
>> Actually I think syncdeps and install should be removed from makepkg,
>> just as builddeps was. Then sudo can be completely removed from makepkg.
>> People may complain though.
>>
>
> And I would be one of them as removing syncdeps would make building in a
> clean chroot an absolute pain in the arse.
>
> Anyway, as far as removing sudo usage goes... I haven't thought much about
> this, but my initial opinion is that people who are concerned about sudo can
> set it up they way they like. e.g. no password caching and use of root
> password, which would make sudo essentially an alias for "su -c".
>
> So I really think this is a non issue. If someone does not like sudo, do
> not install it and use "pacman -S --asdep" yourself to install the needed
> deps. Makepkg gives you the option, but no-one is forcing you to use it.
>
> I would consider a patch that allows the user to configure whether they use
> "sudo" or "su -c".
I don't use the option much myself, but yeah, I think removing it
would be a bit rough for some.
I would also take a patch for the manpage offering some more stern
words about what using these options can mean.
Keep in mind we've done a few things with sudo and makepkg in the past
(in reverse chrono order):
http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=f827c9572e9c8a21d57e58bd61038226e9e0c05e
http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=fb10e0c797b649dc036bc0432dc77cffaabbc56d
http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=b6d991cf7b3f3227d06bdf13e1d515b1cf7c90f4
http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=f6d97da70dfde16f2e4d5e582c7b3a5116a47860
-Dan
More information about the pacman-dev
mailing list