On Wed, 2003-04-23 at 01:03, Tino Meinen wrote: > Op wo 23-04-2003, om 00:18 schreef Felipe Alfaro Solana: > > On Tue, 2003-04-22 at 18:03, Canadilla, Pedro wrote: > > > Hi, > > > > > > In the maximum rpm doc, the examples are done with the user root. Are you > > > sure that this is wrong? > > > > It's not exactly "wrong" to build packages as root. But, what would > > happen if you try to build as a root package whose sources contain a > > troyan horse that is invoked during compilation? The troyan would be ran > > as root and could install itself easily in your system. This has > > happened in the past. If my memory serves me well, there were some > > versions of sendmail troyaned out. > > > > So the question is not if "it's wrong to build as root", but if "it's > > more secure to build as a regular, non-privileged user." > > But what happens when, after you built a rpm as a normal user, you try > to install it? You usually are root when you do that. So the trojan > horse could be built during the compilation and installed when the rpm > is installed. The end result would be the same. > Or am I not seeing things clearly here? If you build the package as root and, during the compilation a troyan horse is invoked, the troyan horse will install gracefully. If you build as a normal user, the troyan will fail to install (well, it could install with your privileges and spy on you, for example). Now, if the troyan is not invoked during the build process, but instead it's made in such a way so it gets compiled *with* the package binaries, it will only get invoked when those binaries is invoked, but not simply by installing them (binaries don't get invoked during installation of an RPM package). You would need to invoke the troyaned binary while running as root. And you would be running as root, which is a bad thing(TM), of course. There are exceptions, of course. If you are building something like BIND or Sendmail, whose daemons normally run as root, and the source code contains a troyan, the only thing you can do is checking the MD5 and GPG signatures of the package before compiling and installing. I don't know if anyone more suggestions on this issue... -- Please AVOID sending me WORD, EXCEL or POWERPOINT attachments. See http://www.fsf.org/philosophy/no-word-attachments.html Linux Registered User #287198
