On Tuesday, September 13, 2011 11:20:57 AM John Doe wrote:
From: Peter Kjellstr?m <cap at nsc.liu.se>
It's not a good idea to build rpms as root (unless in a throw-away vm).
Build as user or even better using mock.
Am I missing something or building an rpm as a non-root user for security
reason won't do much when, in the end, the rpm will be installed as
root...? Apart from protecting the rpm building host.
It is true that if you're looking only at the security aspect of hadling a
malicious rpm then it won't buy you that much. It will still however:

* Keep the rest of the rpms that build-server did safe
* Delay the effect one step (you can pick up the malicious binary rpm when
testing, before deploying).

That said the main reason probably isn't malicious (src)rpms but broken ones.
A spec file can easily contain bugs that will change/corrupt/break your build
machine (and still produce a valid binary rpm).

In the end it's kind of like running your gnome as root. You can do it but
common sense and the complexity of the system tells you not to.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.centos.org/pipermail/centos/attachments/20110913/f23168a7/attachment.bin

Search Discussions

Discussion Posts


Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 7 of 7 | next ›
Discussion Overview
groupcentos @
postedSep 12, '11 at 12:00p
activeSep 13, '11 at 6:53a



site design / logo © 2022 Grokbase