[CentOS] I want to ask about some Kernel level operations.

Thu Jan 2 14:21:25 UTC 2014
Johnny Hughes <johnny at centos.org>

On 01/01/2014 06:25 PM, Eliezer Croitoru wrote:
> Hey John,
>
> Thanks!
>
> On 02/01/14 02:14, John R Pierce wrote:
>> Its the principle of least privilege.
>>
>> You don't need to be root to compile software, or to test software in a
>> local directory, you only need root privileges to install it to a system
>> directory.   When you're developing, building, testing software, there's
>> a very good chance of something going wrong, so if you are running as a
>> non-root user, the potential damages are minimized.
> OK so as long as I can understand the meaning of compiling as non-root 
> user is to be careful with your system.
>
> I would say that my conclusion is that if there is a very big system it 
> is better to let the root user which understand the meaning of this 
> system and to operate it.
>
> A simple testing machine which has error correction mechanism in it 
> should be OK.
>
> I can see couple issues from my mind and vision but it seems like most 
> software in CentOS will be safe to be compiled as root user.(I am 
> testing a tiny simple piece of software)
>
> To corrupt a system in a level which it cannot be recognized that you 
> have changed it you must be something like GOD or something in the same 
> level.

Things like, if the RPM does not properly config the target during the
build, instead of installing into $RPM_BUILDROOT and trying to package
up the RPM, it might install it to /usr/lib/ accidentally, etc.

Some software is written poorly.

If we are talking CentOS / Red Hat / Fedora type packages then most of
the time nowadays those SRPMs should be built inside of mock anyway to
get a clean buildroot.
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140102/e38880fb/attachment-0005.sig>