[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security vs. configure
|
From: |
Lars J. Aas |
|
Subject: |
Re: security vs. configure |
|
Date: |
Tue, 24 Apr 2001 13:02:55 +0200 |
|
User-agent: |
Mutt/1.2.5i |
On Mon, Apr 23, 2001 at 09:15:20PM -0400, Eric Siegerman wrote:
: On Mon, Apr 23, 2001 at 10:14:16PM +1000, Michael Still wrote:
: > How many people use make dist though? My thinking was based on the fact
: > that the configure script is the bit that people seem to be concerned
: > about the most, because it is the first instance of some code being
: > blindly run.
:
: Just because it's the first instance doesn't make it the only
: instance. People who sweat more about configure viruses than
: about hacked package source are ... confused. The two are
: instances of the same problem, and thus equally dangerous.
You can usually do the whole configure/build process as a nobody-user;
only "make install" has to run as a privileged user (and root is only
needed in some special cases). The danger is therefore greatest when it
comes to the integrity of the software you are installing, and second to
that the Makefile install-rules.
Lars J