On Fri, 9 Feb 2024, Siddhesh Poyarekar wrote: > For privilege management we could add a --allow-root driver flag that allows > gcc to run as root. Without the flag one could either outright refuse to run > or drop privileges and run. Dropping privileges will be a bit tricky to > implement because it would need a user to drop privileges to and then there > would be the question of how to manage file access to read the compiler input > and write out the compiler output. If there's no such user, gcc could refuse > to run as root by default. I wonder though if from a security posture > perspective it makes sense to simply discourage running as root all the time > and not bother trying to make it work with dropped privileges and all that. > Of course it would mean that this would be less of a "project"; it'll be a > simple enough patch to refuse to run until --allow-root is specified.
I think disallowing running as root would be a big problem in practice - the typical problem case is when people build software as non-root and run "make install" as root, and for some reason "make install" wants to (re)build or (re)link something. -- Joseph S. Myers josmy...@redhat.com
