[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why use fakeroot when compiling kernel?

On Sat, Jun 23, 2001 at 10:08:26AM -0600, ray p wrote:
> IMO and many will tell me I'm wrong. tools like sudo and fakeroot make sense on a large system where you have to give more than one person root rights for some things but do not want to give them this power for everything. On a system where there is only one person who can do everything root needs to do I think they introduce just one more way to get root or at least part of root. I will admit that I know more about sudo and not so much about fakeroot.

First off, sudo and fakeroot are quit distinct:

* sudo does give you real root power, but only for a limited set of
  programs. Break out of such a program and you *are* root!

* fakeroot cleverly trics many a program in believing to be root, but
  all it does is intercept some system calls, and pretend to be root.
  Like when the program asks for its id it gets 0, but try to really
  *use* root power will learn that you actually still are who you are,
  and not really root afterall.

Second, whenever someone does something as root, he might end up
ruining his machine. The famous "rm -r *", or stumbling on a trojan
when reading mail or whatever. Most of us are mere humans, so we are
subject to fatitude, we err, we mess up. Harsh experience has tought
us elders that it's wise, very wise to refrain from being root and try
to do whatever we need to do with as little privelidges as possible.

But now and again you really need to be root, so set it up that you're
root only for the duration of the action that needs the root power.
This is excactly how secure programs are made, they drop root
privelidge as soon as possible! This is where suid/sgid versus sudo-ed
programs enter the picture. On a small system you might get away with
using suid/sgid, but the first child/spouse/hacker to visit your
cherished machine could easily do things you rather not have done:)
Better to keep powerfull programs to root only, and with sudo allow
selected persons to use only those programs you deem fit for them.

Don't know why debians package builder needs to be root, but given that
it suffices to fake root, fakeroot is the way to go:)

groetjes, carel

Reply to: