You are not logged in.

#1 2014-07-06 08:27:44

technolog
Member
From: Europe / Slovenia / Grosuplje
Registered: 2012-01-28
Posts: 116

AUR building security

I use AUR and PKGBUILDs often and I'm wondering whether I should be using a separate user for building the packages?

Till now, I have assumed makepkg has all the security precautions in-built.

Offline

#2 2014-07-06 08:35:07

jasonwryan
Forum & Wiki Admin
From: .nz
Registered: 2009-05-09
Posts: 18,105
Website

Re: AUR building security

Not a Sysadmin issue: moving to AUR Issues...


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Offline

#3 2014-07-06 11:54:53

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 4,048

Re: AUR building security

technolog,

given that pkgbuilds  are bash scripts, there are lots of POTENTIAL security issues.
an option to reduce the risks somewhat is indeed to build as a separate user.
building in a chroot further reduces the risks.

However , keep in mind that after building you will install the package as root.
IMO building as another user / in chroot only increases protection against errors / malicious statements in the PKGBUILD, but does nothing to protect against malicious code in the installed program.

Personally i build as my normal user, but check every PKGBUILD before i run makepkg on it.
I also verify the source urls, if i feel they are suspect i don't build it.


Booting with apg Openrc, NOT systemd.
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#4 2014-07-06 16:56:30

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,147
Website

Re: AUR building security

Lone_Wolf wrote:

Personally i build as my normal user, but check every PKGBUILD before i run makepkg on it.
I also verify the source urls, if i feel they are suspect i don't build it.

Same here. I build with my own user.

There is this tutorial for building 32bit packages in 64bit environments which could probably be adapted to building 64bit packages in a chroot environment.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

Board footer

Powered by FluxBB