[CentOS] trouble building an rpm

Tue Sep 13 10:53:46 UTC 2011
Peter Kjellström <cap at nsc.liu.se>

On Tuesday, September 13, 2011 11:20:57 AM John Doe wrote:
> From: Peter Kjellström <cap at nsc.liu.se>
> 
> > It's not a good idea to build rpms as root (unless in a throw-away vm).
> > Build as user or even better using mock.
> 
> Am I missing something or building an rpm as a non-root user for security
> reason won't do much when, in the end, the rpm will be installed as
> root...? Apart from protecting the rpm building host.

It is true that if you're looking only at the security aspect of hadling a 
malicious rpm then it won't buy you that much. It will still however:

 * Keep the rest of the rpms that build-server did safe
 * Delay the effect one step (you can pick up the malicious binary rpm when
   testing, before deploying).

That said the main reason probably isn't malicious (src)rpms but broken ones. 
A spec file can easily contain bugs that will change/corrupt/break your build 
machine (and still produce a valid binary rpm).

In the end it's kind of like running your gnome as root. You can do it but 
common sense and the complexity of the system tells you not to.

/Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20110913/f23168a7/attachment-0004.sig>