Re: [Fwd: [Fwd: [sudo-users] Config sudo for installation]]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



FuziOK wrote:
> 
> I think it's not a good idea to use sudo to run 'make install'.
> If you write a Makefile like this:
> 
> install:
> 	rm -rf /
> 
> then
> 	%install	localhost=/usr/bin/make install
> is equal to
> 	%install	localhost=/bin/rm -rf /
> in /etc/sudoers.
> 
This is one reason to limit it to a small group or a single user.
You have to limit access to users that you would otherwise trust
with the root password. You have to use caution when installing new
software, regardless of how you install it. You can do the same type
of damage with scripts in an RPM. Remember, there can be install
scripts, remove scripts, and update scripts, and these do not show
up in the list of files provided by the RPM.

An even bigger risk is that you might be installing a suid program
that could be used to crack the system. This applies to both
installing an RPM, or installing with make install.

When you are talking about using "sudo make install" as a
replacement for becoming root and running "make install", I don't
see the difference in risk. I do see it as somewhat less risky then
changing to root for the entire build process. This is especially
true when you also limit it to users logged in locally. That means
the user is not only trusted, but probably has physical access to
the machine. (He could be logged in from a serial terminal.)

It would be safer for build and test the package on a test machine,
or in a virtual machine, package it up after it passes testing, and
then install it...

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux