On Fri, 9 Feb 2024, Siddhesh Poyarekar wrote: > > I think disallowing running as root would be a big problem in practice - > > the typical problem case is when people build software as non-root and run > > "make install" as root, and for some reason "make install" wants to > > (re)build or (re)link something. > > Isn't that a problematic practice though? Or maybe have those invocations be > separated out as CC_ROOT?
Ideally dependencies would be properly set up so that everything is built in the original build, and ideally there would be no need to relink at install time (I'm not sure of the exact circumstances in which it might be needed, or on what OSes to e.g. encode the right library paths in final installed executables). In practice I think it's common for some building to take place at install time. There is a more general principle here of composability: it's not helpful for being able to write scripts or makefiles combining invocations of different utilities and have them behave predictably if some of those utilities start making judgements about whether it's a good idea to run them in a particular environment rather than just doing their job independent of irrelevant aspects of the environment. The semantics of invoking "gcc" have nothing to do with whether it's run as root; it should never need to look up what user it's running as at all. (And it's probably also a bad idea for lots of separate utilities to gain their own ways to run in a restricted environment, for similar reasons; rather than teaching "gcc" a way to create a restricted environment itself, ensure there are easy-to-use more general utilities for running arbitrary programs on untrusted input in a contained environment.) -- Joseph S. Myers josmy...@redhat.com
