[Slackbuilds-users] building everything as root

Niel Drummond niel.drummond at grumpytoad.org
Thu Apr 10 15:18:10 EDT 2008


Alan Hicks wrote:
> Niel Drummond wrote:
>> It's not necessary to do so, but most scripts try to change the 
>> ownership of files to root, so I suspect this is considered the 
>> "slackway". I remember reading somewhere though that running make 
>> (apart from 'make install') as root was asking for trouble, and 
>> coming from distros where its typically discouraged to run 3rd party 
>> scripts as root, it's made me curious to hear the counterargument.
>
> Here's the thing... what rational is there for compiling the software 
> as a user and then assuming root?  The only answer I've ever given for 
> this is a blanket "security" answer, but no one is able to elaborate 
> on this.  Allow me to do so.  I suppose if the source code you are 
> compiling is explicitely or accidentally malicious, the compiling it 
> as a user would save you.  Maybe the Makefile will delete all your 
> files if run as root, but that argument falls apart because an 
> attacker could just as easily insert the payload during the make 
> install phase.
>
yes, I've written some Makefiles to see that this would be the case, but 
I have very limited knowledge of C programming, so I'd previously 
assumed that this danger is inherent in using the compiler with a 
combination of bad parameters, which, as far as I know, are sourced from 
programs that the originator perhaps has no control over (pkgconfig?). 
If it's all very harmless (assuming the good intentions of the 
programmer), then that's good to know! :-)

> In short, unless the coders were either stupid or stupid and 
> malicious, there's absolutely no benefit I've ever seen to compiling 
> as a user.  Please note however, that this is mitigated by the SBo 
> team auditing and testing each and every SlackBuild script that goes 
> into our repo.  I personally run them first as a mortal user and look 
> for any errors, then build them as root, so the likelihood of one of 
> our scripts being malicious is particularly low, though far from 
> impossible (the human element can never be ignored).
>
that's also good to know... please don't understand that I was implying 
that slackbuilds are in any way damaging, just that I wanted to 
understand a bit more about the slackware methodology as a counterpart 
to other distributions that I've used.

regards

> ------------------------------------------------------------------------
>
> _______________________________________________
> Slackbuilds-users mailing list
> Slackbuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
>
> Please read the FAQ - http://slackbuilds.org/faq/
>   



More information about the Slackbuilds-users mailing list