[pacman-dev] [PATCH] Set "secure" $HOME

Jonathon Fernyhough jonathon at manjaro.org
Mon Aug 12 16:45:40 UTC 2019

By default, $HOME is that of the build user. This is usually not a
problem in ephemeral build containers/chroots but can allow some files
to escape into the filesystem where `makepkg` is run outside of a chroot.

There can also be instances of generated files (e.g. cache, precompiled
bytecode) being placed into these locations and which are then relied
upon by other parts of the software.

As a concrete example, Perl6 and nim have a precompilation cache (though
well-behaved in how it is used).

`export HOME=/nonexistent` is already used by Debian in their build
tooling and so does not represent a divergence from established
practice. It also allows for badly-behaved build processes to be more
easily spotted and an issue filed upstream where appropriate.

Signed-off-by: Jonathon Fernyhough <jonathon at manjaro.org>
 scripts/makepkg.sh.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 43484db3..04edc38a 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -40,6 +40,8 @@ export COMMAND_MODE='legacy'
 unset CDPATH
 # Ensure GREP_OPTIONS doesn't screw with our grep calls
+# Prevent build-user-specific files "escaping" into the filesystem
+export HOME=/nonexistent
 declare -r makepkg_version='@PACKAGE_VERSION@'
 declare -r confdir='@sysconfdir@'

More information about the pacman-dev mailing list