[Slackbuilds-users] building everything as root

[Deak, Ferenc]

On Thu, Apr 10, 2008 at 3:09 AM, Alan Hicks <alan at lizella.net> wrote:
>
>  In other ways, it's also a lot simpler.  When you run a SlackBuild script,
> you don't have to worry about needing sudo, or entering a password to assume
> root to complete those things that require superuser privileges.
>
>  ...
>
>  Here's the thing... what rational is there for compiling the software as a
> user and then assuming root?  The only answer I've ever given for this is a
> blanket "security" answer, but no one is able to elaborate on this.  Allow
> me to do so.  I suppose if the source code you are compiling is explicitely
> or accidentally malicious, the compiling it as a user would save you.  Maybe
> the Makefile will delete all your files if run as root, but that argument
> falls apart because an attacker could just as easily insert the payload
> during the make install phase.
>
>  In short, unless the coders were either stupid or stupid and malicious,
> there's absolutely no benefit I've ever seen to compiling as a user.  Please
> note however, that this is mitigated by the SBo team auditing and testing
> each and every SlackBuild script that goes into our repo.  I personally run
> them first as a mortal user and look for any errors, then build them as
> root, so the likelihood of one of our scripts being malicious is
> particularly low, though far from impossible (the human element can never be
> ignored).

Just a note, the majority of the slackbuild.org packages can be built
with fakeroot (I've tested it), without being root in any phase of the
build. It is a very good tool while I'm testing the build script. There are
makefiles, which doesn't handle the DEST (or similar) variables
properly and need patching. Using fakeroot, you are 'root' in your
directories you can set set the right permissions etc, but you can't
write to sytem directories.

feco