RE: How to install source rpm's on redhat 9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Op wo 23-04-2003, om 00:18 schreef Felipe Alfaro Solana:
> On Tue, 2003-04-22 at 18:03, Canadilla, Pedro wrote:
> > Hi,
> > 
> > In the maximum rpm doc, the examples are done with the user root. Are you
> > sure that this is wrong?
> 
> It's not exactly "wrong" to build packages as root. But, what would
> happen if you try to build as a root package whose sources contain a
> troyan horse that is invoked during compilation? The troyan would be ran
> as root and could install itself easily in your system. This has
> happened in the past. If my memory serves me well, there were some
> versions of sendmail troyaned out.
> 
> So the question is not if "it's wrong to build as root", but if "it's
> more secure to build as a regular, non-privileged user."

But what happens when, after you built a rpm as a normal user, you try
to install it? You usually are root when you do that. So the trojan
horse could be built during the compilation and installed when the rpm
is installed. The end result would be the same.
Or am I not seeing things clearly here?

-Tino Meinen





[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux