You are not logged in.

#1 2014-07-06 08:27:44

technolog
Member
From: Europe / Slovenia / Grosuplje
Registered: 2012-01-28
Posts: 117

AUR building security

I use AUR and PKGBUILDs often and I'm wondering whether I should be using a separate user for building the packages?

Till now, I have assumed makepkg has all the security precautions in-built.

Offline

#2 2014-07-06 08:35:07

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: AUR building security

Not a Sysadmin issue: moving to AUR Issues...


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2014-07-06 11:54:53

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: AUR building security

technolog,

given that pkgbuilds  are bash scripts, there are lots of POTENTIAL security issues.
an option to reduce the risks somewhat is indeed to build as a separate user.
building in a chroot further reduces the risks.

However , keep in mind that after building you will install the package as root.
IMO building as another user / in chroot only increases protection against errors / malicious statements in the PKGBUILD, but does nothing to protect against malicious code in the installed program.

Personally i build as my normal user, but check every PKGBUILD before i run makepkg on it.
I also verify the source urls, if i feel they are suspect i don't build it.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#4 2014-07-06 16:56:30

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: AUR building security

Lone_Wolf wrote:

Personally i build as my normal user, but check every PKGBUILD before i run makepkg on it.
I also verify the source urls, if i feel they are suspect i don't build it.

Same here. I build with my own user.

There is this tutorial for building 32bit packages in 64bit environments which could probably be adapted to building 64bit packages in a chroot environment.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

Board footer

Powered by FluxBB