On Tue, Apr 2, 2024 at 1:21 PM Paul Koning via Gcc <gcc@gcc.gnu.org> wrote: > > Would it help to require (rather than just recommend) "don't use root except > for the actual 'install' step" ?
Seems reasonable, but note that it wouldn't make any difference to this attack. The liblzma library was modified to corrupt the sshd binary, when sshd was linked against liblzma. The actual attack occurred via a connection to a corrupt sshd. If sshd was running as root, as is normal, the attacker had root access to the machine. None of the attacking steps had anything to do with having root access while building or installing the program. Ian
