Limiting the power of package installation in Debian
Limiting the power of package installation in Debian
Posted Nov 9, 2018 6:23 UTC (Fri) by flussence (guest, #85566)In reply to: Limiting the power of package installation in Debian by Baughn
Parent article: Limiting the power of package installation in Debian
Ditto for Gentoo. It doesn't use a full jail, but builds are sandboxed from reading files outside of permitted paths; any naïve attempt to do so spews a very large error log and the build gets aborted. Usually that ends up tripping over buggy build systems that try to use ccache without permission.
The installation *can* run things as root after merging files, but any shady business will stick out like a sore thumb during code review, simply because needing to do so at all is so rare. It helps that things like messing with existing config and running services during package installation are culturally verboten.