(Sorry I took so long to react. Don't hesitate to email me privately
on lmamane-scsh@conuropsis.org for all matters of scsh-Debian
relations.)
On Tue, Oct 05, 2004 at 07:21:39AM +0200, Michel Schinz wrote:
>> It all went very smooth and easy, the only slight annoyance was
>> that scsh-install-pkg does not allow me to *compile* stuff as
>> non-root and afterwards *install* it as root.
> This could be added, but I first need to be convinced that this is
> indeed necessary, which I'm not really right now :-).
For what it is worth, it is a prerequisite to be in (a released
version) of Debian: according to Debian rules, the package must
configure and compile as non-root in one step and install (as root to
have the right file owners) in a separate step. See
http://www.debian.org/doc/debian-policy/ch-source.html#s-debianrules
for reference (the "build" and "binary" targets). Because these
requirements are "should"/"must" requirements, not conforming to it is
a "Release Critical" bug; meaning Debian doesn't release until this
bug disappears, for example by removing the package.
Here is how the life of a Debian package works in the configure /
make / make install model:
- ./configure --prefix=/usr --... && make
So that hard-coded build-time paths are correct and match the final
install paths.
- make install prefix=${PWD}/debian/foo
As root so that the owner of the files is the right one. (Most
builders actually use a hack called "fakeroot" here; it is a
preloaded library that simulates root access by overriding libc and
system calls. In this way, they don't need to *really* be root on
the machine.)
- take the tree at ${PWD}, put it in a .deb.
- upload the .deb to the debian FTP
- user downloads it and installs the .deb as root.
The first two steps are completely manual; the package maintainer
writes those commands in a makefile, so we have total freedom
there. The other steps are completely automatic and fixed, there is no
control over them. While they are conceptually equivalent to "tar c"
and "tar x", it is not possible to e.g. add "--no-same-owner" to the
"tar x".
>> This is both a potential security hazard
> I don't really buy this, for two reasons:
> 1. Nothing forces you to perform installation as root.
Unless you change rpm and dpkg, in this case, one must. Automatic
tools that expect it.
> 2. If you are really worried about malicious code, then you should
> read the *whole* makefile, *and* the whole source code of the
> program anyway, because even as somebody else than root it can do
> nasty stuff.
That's if you take security as a everything-or-nothing
perspective. Security is a trade-off: You do what you can do, you put
the barriers that can at a reasonable cost. Security is also not only
protection against malicious people; it is also protection against
honest errors. So building as non-root protects against honest errors
in the build phase of the Makefile. That's protection worth to have.
--
Lionel
|