[Slackbuilds-users] building everything as root
Alan Hicks
alan at lizella.net
Wed Apr 9 21:09:12 EDT 2008
Niel Drummond wrote:
> I am new to this list, and new to slackware, and find the slackbuilds
> project very appealing. But I am wondering on the rationale for building
> scripts as root ?
To some extent, it's always been done this way. If you look at the
SlackBuild scripts included in the source code for Slackware, you'll see
that they are without exception meant to be run as root. In some ways,
we've simply followed this tradition.
In other ways, it's also a lot simpler. When you run a SlackBuild script,
you don't have to worry about needing sudo, or entering a password to assume
root to complete those things that require superuser privileges.
> It's not necessary to do so, but most scripts try to
> change the ownership of files to root, so I suspect this is considered
> the "slackway". I remember reading somewhere though that running make
> (apart from 'make install') as root was asking for trouble, and coming
> from distros where its typically discouraged to run 3rd party scripts as
> root, it's made me curious to hear the counterargument.
Here's the thing... what rational is there for compiling the software as a
user and then assuming root? The only answer I've ever given for this is a
blanket "security" answer, but no one is able to elaborate on this. Allow
me to do so. I suppose if the source code you are compiling is explicitely
or accidentally malicious, the compiling it as a user would save you. Maybe
the Makefile will delete all your files if run as root, but that argument
falls apart because an attacker could just as easily insert the payload
during the make install phase.
In short, unless the coders were either stupid or stupid and malicious,
there's absolutely no benefit I've ever seen to compiling as a user. Please
note however, that this is mitigated by the SBo team auditing and testing
each and every SlackBuild script that goes into our repo. I personally run
them first as a mortal user and look for any errors, then build them as
root, so the likelihood of one of our scripts being malicious is
particularly low, though far from impossible (the human element can never be
ignored).
--
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20080409/78b5fc83/attachment.asc>
More information about the Slackbuilds-users
mailing list