<br><font size=2 face="sans-serif">Here is a proof that I was right to
believe. On Ubuntu:</font>
<br><font size=2 face="sans-serif">http://www.youtube.com/watch?v=D4fzInlyYQo</font>
<br>
<br><font size=2 face="sans-serif">Regards,<br>
Colin Pitrat<br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=62%><font size=1 color=white face="sans-serif"><b>Thomas Bächler
<thomas@archlinux.org></b> </font>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">General Discusson about Arch Linux <arch-general@archlinux.org></font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [arch-general] makepkg running as
root</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br>
<td width=7%>
<td width=30%><font size=1 face="sans-serif"><b>Thomas Bächler <thomas@archlinux.org></b>
</font>
<p><font size=2 face="sans-serif">Please respond to : </font><font size=1 face="sans-serif">General
Discusson about Arch Linux <arch-general@archlinux.org></font>
<p><font size=1 face="sans-serif">Sent by: arch-general-bounces@archlinux.org
</font>
<br><font size=1 face="sans-serif">22/01/2008 11:06</font></table>
<br>
<br>
<br><tt><font size=2>Jan de Groot schrieb:<br>
>> Just think of what this would do as root in a PKGBUILD:<br>
>><br>
>> build() {<br>
>> echo "You've been pwned!!!"<br>
>> rm -rf /<br>
>> }<br>
>><br>
> <br>
> Be sure to check .install files too. They can also contain rm -rf
/ in post_install, those are executed by root when you install the package
;)<br>
<br>
You guys DO know that 'rm -rf /' is a harmless command that simply exits<br>
with an error message? You should use 'rm -rf /*' to kill someone's system.<br>
<br>
However, the problem with makepkg as root can be more subtle: If a<br>
broken PKGBUILD or Makefile installs files into / instead of<br>
${startdir}/pkg, files will be missing in your package. However, you<br>
will not notice it, as the files are present in your system, and there<br>
won't be any error messages during the build process.<br>
<br>
I met a user on IRC once who claimed his PKGBUILD and the resulting<br>
package were fine, but the package was indeed empty, instead makepkg<br>
installed all files directly into his system - these files were now<br>
unknown to pacman.<br>
<br>
Worst case (apart from a malicious PKGBUILD) is that you overwrite<br>
critical system configuration files or libraries and render your system<br>
unusable.<br>
<br>
[attachment "signature.asc" deleted by Colin Pitrat/NCE/AMADEUS]
</font></tt>
<br>