Am 25. Oct, 2006 schwätzte
alex@crackpot.org so:
> When building various packages from source, I'm a little unclear on
> why I should or should not be root. I'm looking for input from folks
If the process doesn't require being root, you shouldn't be root.
The compilers work for non-root users, so you don't need to be root :).
Binaries should be compiled by a trusted person. That trusted person
should not be running as root.
Once the binaries are built the ownership can be changed to what it needs
to be and then they can be put in place. Most packages have a 'make
install' that performs those steps.
You only need read perms on the source files to compile. You might need
execute perms on a few scripts used to build the packages.
You do need write perms on the directories where the binaries are built.
It's been a while since I've worried ( I just build in my home dir the
few packages that I build from source ), but I believe there's a common
mechanism to say "build stuff over there" such that you can get sources
from a read-only environment and put the output from the build process
somewhere else.
ciao,
der.hans
> on this question, primarily from a security point of view, but all
> comments are appreciated.
>
> When I was first learning Linux, I did everything as root. Then I
> read in various places "you don't need to be root to compile
> something, just to install it. never compile as root". So that's
> what I started doing. I had my normal user account owning the source
> files, with write permission in /usr/local/src.
>
> It makes sense to me to do as little as possible as root. At the
> least, it means that if I fat-finger something the damage will be
> contained. I image there are probably other issues I'm not aware of,
> but always doing things with as few privilges as necessary seems like
> a good idea.
>
> Now I'm wondering if this is the 'right' way to do things. For things
> like Apache, wouldn't it be safer if the source files were owned by
> root rather than by me? Or doesn't it make any difference? On both
> RedHat and Debian, /usr/local/src comes owned by root:root, and is
> chmoded 755. That seems to say 'nobody but root should write here'.
>
> What do y'all think?
>
> alex
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
# https://www.LuftHans.com/ http://www.CiscoLearning.org/
# Sysdamin Days Phoenix, 6-7 Nov, now with edu discount https://LOPSA.org/
# Only wimps use tape backup: _real_ men just upload their important
# stuff on ftp, and let the rest of the world mirror it. -- Linus Torvalds
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)