[CentOS] Building packages using RPMBUILD

Fri Dec 17 13:01:54 UTC 2010
Nico Kadel-Garcia <nkadel at gmail.com>

On Thu, Dec 16, 2010 at 3:49 PM, Leonard den Ottolander
<leonard at den.ottolander.nl> wrote:
> Hello Nico,
>
> On Thu, 2010-12-16 at 15:20 -0500, Nico Kadel-Garcia wrote:
>> On Thu, Dec 16, 2010 at 11:00 AM, Leonard den Ottolander
>> > /usr/src/redhat and sub dirs are owned root.root. If you want to build
>> > as a normal user (and you should!) you should fix the ownership of those
>> > directories.
>>
>> NO. Never do this.
>
> Why would that be a problem?
>
> Regards,
> Leonard.

There are easily half a dozen reasons. The first one is that this is
where root runs their builds: if you leave it with write permission
for other users, they can replace components behind your back. Worse,
they can replace the .spec file, so when software is built, it runs as
the root user. Since various components do rely on RPM rebuilding,
such as HP's "Proliant Service Pack", it inserts a great glaring
vulnerability to leverage when the rebuild occurs.

Second, if you open the permissions there, multiple users can step on
each other building similar packages at the same time, especially if
they happen to be different versions of the same software.

The third reason one is that "/usr" is typically of modest size, and
leaving it open for RPM development can lead to many gigabytes of
inappropriate debris scattering it. Many modern systems have a much
larger /usr than they used to, but having to allocate that much extra
space for compilation efforts may cause other interesting resource
allocation problems. And overflowing /usr can cause very serious
problems indeed.