install rpm\'s as root or ...? was Re: Custom Kernel Creation Documentation Online

Aleksandar Milivojevic amilivojevic at pbl.ca
Wed Feb 9 15:37:32 UTC 2005 

Paul Howarth wrote:
> It's a security issue. The person writing the spec for the RPM, or 
> indeed the upstream package maintainer, could have put "rm -rf /" as a 
> command in the installation script for instance. There are a wide 
> variety of similar issues to consider. When building as a regular user, 
> the worst that can happen is whatever damage the building user has 
> permission to do to the system, which will usually mean only deleting or 
> overwriting their own files.

While I agree with this security point, it is actually minor.  Somebody 
can implant "rm -rf /" or whatever into pre/post-install script in way 
more subtle ways, or it might be carefully implanted somewhere in the 
source of the program you are about to build/install (so when you 
finally attempt to install binary RPM, something you normally do as 
root, or run the program as root (for example, it's a service, or 
utility you might want to execute as root) it gets executed).  So, that 
is basically the issue if you trust something downloaded from network in 
general.

The more usual reason is to avoid damange from bugs either present in 
original tarbal/SRPM or introduced by you.  Consider for example that 
you are creating SRPM from existing tarbal, and had to make a patch that 
adds a line like this to install target of generated Makefile (for 
whatever reason):

	rm -rf ${PREFIX}/${DIRFORSOMETHING}

Probably not a good idea to do something like that without checking that 
those two variables are defined and evaluating to something reasonable, 
but let ignore it for a moment.  You made two typos when writing the 
patch (maybe you are lousy typer, or you missed your morning coffe, of 
it was 5 am, and you missed your 2, 3, and 4am coffies), and what you 
actually wrote in your patch is something like this:

	rm -rf ${PRFIX}/${DIRFORSOMETHNG}

Since PRFIX and DIRFORSOMETHNG are not defined (PREFIX and 
DIRFORSOMETHING are), this will evaluate to "rm -rf /".  If you build as 
root, you just wiped out your system.  If you build as normal user, the 
damange is less severe (and if you noticed tons of permission denied 
errors on your terminal and pressed ctrl-c fast enough, maybe you were 
lucky enough that "rm -rf /" hasn't got to any of the files you own).

This, of course, is true for any software development.  Development 
should not be done as root (unless you are doing it on a system 
disconnected from network, and are not going to bug your sysadmin when 
you screw it, and you are going to screw it sooner or later).  There is 
a good reason for that.  Since building binary packages from SRPMs is 
really one of the development steps (even if you are not "developing" 
anything, and all you want is to simply compile SRPM made by somebody 
else), it shouldn't be done as root either.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list