At Thu, 16 Dec 2010 21:26:19 +0000 (GMT) CentOS mailing list <centos at centos.org> wrote: > > On Thu, 16 Dec 2010, m.roth at 5-cent.us wrote: > > > To: CentOS mailing list <centos at centos.org> > > From: m.roth at 5-cent.us > > Subject: Re: [CentOS] Building packages using RPMBUILD > > > > Leonard den Ottolander wrote: > >> Hello Nico, > >> > >> On Thu, 2010-12-16 at 15:20 -0500, Nico Kadel-Garcia wrote: > >>> On Thu, Dec 16, 2010 at 11:00 AM, Leonard den Ottolander > >>>> /usr/src/redhat and sub dirs are owned root.root. If you want to build > >>>> as a normal user (and you should!) you should fix the ownership of > >>>> those directories. > >>> > >>> NO. Never do this. > >> > >> Why would that be a problem? > > > > One possibility: suppose someone cracks in as the user that owns those > > directories. They could then install whatever they want in there... and > > the next time you built and installed something, it could carry their > > payload. > > That's a good point, bu if they get in as root, they can > access any build branch they want to, under any user > account. If they get in as root, you are totally hosed and probably need to do a wipe and re-install. > > Keith > -- Robert Heller -- 978-544-6933 / heller at deepsoft.com Deepwoods Software -- http://www.deepsoft.com/ () ascii ribbon campaign -- against html e-mail /\ www.asciiribbon.org -- against proprietary attachments