On 2024-02-09 12:14, Joseph Myers wrote:
On Fri, 9 Feb 2024, Siddhesh Poyarekar wrote:
For privilege management we could add a --allow-root driver flag that allows
gcc to run as root. Without the flag one could either outright refuse to run
or drop privileges and run. Dropping privileges will be a bit tricky to
implement because it would need a user to drop privileges to and then there
would be the question of how to manage file access to read the compiler input
and write out the compiler output. If there's no such user, gcc could refuse
to run as root by default. I wonder though if from a security posture
perspective it makes sense to simply discourage running as root all the time
and not bother trying to make it work with dropped privileges and all that.
Of course it would mean that this would be less of a "project"; it'll be a
simple enough patch to refuse to run until --allow-root is specified.
I think disallowing running as root would be a big problem in practice -
the typical problem case is when people build software as non-root and run
"make install" as root, and for some reason "make install" wants to
(re)build or (re)link something.
Isn't that a problematic practice though? Or maybe have those
invocations be separated out as CC_ROOT?
Thanks,
Sid
