[Slackbuilds-users] building everything as root
    Alan Hicks 
    alan at lizella.net
       
    Wed Apr  9 21:09:12 EDT 2008
    
    
  
Niel Drummond wrote:
> I am new to this list, and new to slackware, and find the slackbuilds 
> project very appealing. But I am wondering on the rationale for building 
> scripts as root ?
To some extent, it's always been done this way.  If you look at the 
SlackBuild scripts included in the source code for Slackware, you'll see 
that they are without exception meant to be run as root.  In some ways, 
we've simply followed this tradition.
In other ways, it's also a lot simpler.  When you run a SlackBuild script, 
you don't have to worry about needing sudo, or entering a password to assume 
root to complete those things that require superuser privileges.
> It's not necessary to do so, but most scripts try to 
> change the ownership of files to root, so I suspect this is considered 
> the "slackway". I remember reading somewhere though that running make 
> (apart from 'make install') as root was asking for trouble, and coming 
> from distros where its typically discouraged to run 3rd party scripts as 
> root, it's made me curious to hear the counterargument.
Here's the thing... what rational is there for compiling the software as a 
user and then assuming root?  The only answer I've ever given for this is a 
blanket "security" answer, but no one is able to elaborate on this.  Allow 
me to do so.  I suppose if the source code you are compiling is explicitely 
or accidentally malicious, the compiling it as a user would save you.  Maybe 
the Makefile will delete all your files if run as root, but that argument 
falls apart because an attacker could just as easily insert the payload 
during the make install phase.
In short, unless the coders were either stupid or stupid and malicious, 
there's absolutely no benefit I've ever seen to compiling as a user.  Please 
note however, that this is mitigated by the SBo team auditing and testing 
each and every SlackBuild script that goes into our repo.  I personally run 
them first as a mortal user and look for any errors, then build them as 
root, so the likelihood of one of our scripts being malicious is 
particularly low, though far from impossible (the human element can never be 
ignored).
-- 
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20080409/78b5fc83/attachment.asc>
    
    
More information about the Slackbuilds-users
mailing list