Op wo 23-04-2003, om 00:18 schreef Felipe Alfaro Solana: > On Tue, 2003-04-22 at 18:03, Canadilla, Pedro wrote: > > Hi, > > > > In the maximum rpm doc, the examples are done with the user root. Are you > > sure that this is wrong? > > It's not exactly "wrong" to build packages as root. But, what would > happen if you try to build as a root package whose sources contain a > troyan horse that is invoked during compilation? The troyan would be ran > as root and could install itself easily in your system. This has > happened in the past. If my memory serves me well, there were some > versions of sendmail troyaned out. > > So the question is not if "it's wrong to build as root", but if "it's > more secure to build as a regular, non-privileged user." But what happens when, after you built a rpm as a normal user, you try to install it? You usually are root when you do that. So the trojan horse could be built during the compilation and installed when the rpm is installed. The end result would be the same. Or am I not seeing things clearly here? -Tino Meinen
