1 |
On Thu, 30 Sep 2004, Chris L. Mason wrote: |
2 |
|
3 |
> Hi all, |
4 |
> |
5 |
> I've checked the documentation and man pages and couldn't find what I |
6 |
> was looking for. If I've missed something, please point me in the |
7 |
> right direction. |
8 |
> |
9 |
> I've been trying to figure out if it is possible to have all emerges |
10 |
> (especially the builds) to be done as a non-root user, and have the |
11 |
> process call sudo (or similar) only for the final merge. All |
12 |
> downloading, unpacking, compiling and installing to the fake target |
13 |
> should be doable without root permissions. So, you'd just need to be |
14 |
> in the portage group, and be configured in sudo. |
15 |
> |
16 |
... |
17 |
> |
18 |
> This is desirable both for security reasons and just to avoid |
19 |
> accidentally trashing the system because of a broken build script, for |
20 |
> example. |
21 |
|
22 |
Illusion of security only. If someone competent wanted to attack your |
23 |
system, they would not do it in the build script; they'd do it in the |
24 |
resulting code. As such, this methodology only protects against broken |
25 |
build scripts. |
26 |
|
27 |
For those that don't understand the concept, which would you think a |
28 |
cracker would more likely want: one time access to your system, or |
29 |
access to your system forever, whenver they wanted? |
30 |
|
31 |
We may find out about some malicious code updates through such |
32 |
protections, but that's generally due to the cracker not knowing how to |
33 |
code properly. The crackers who *do* know how to code will pass right |
34 |
through your checks if you're depending upon such mechanisms to detect |
35 |
them. (Admittedly, I've only heard of one decent cracker who dared Open |
36 |
Source.) I would really prefer we find out about all the malicious |
37 |
updates through code review and patch signature verification (this does, |
38 |
of course, include the preference for finding out about all of them.). |
39 |
|
40 |
Admittedly, build scripts tend to not get quite as much review as code |
41 |
people realize is going to continue running on their systems, and I have |
42 |
seen one or two packages that tried to install root kits in configure. |
43 |
(They, incidentally, did not pass the signature verification check. But |
44 |
I was curious.) |
45 |
|
46 |
Ed |
47 |
|
48 |
-- |
49 |
gentoo-dev@g.o mailing list |