On Fri, Jul 10, 2009 at 11:39 AM, Alessandro Doro<ordo...@gmail.com> wrote:
> ¹ Really theoretical, assuming that the user:
>  · read the PKGBUILD,
>  · trust the package source.

Yeah... I think I'd be somewhat suspicious if I saw a PKGBUILD calling sudo.

sudo -k wouldn't be very effective either. What if I run sudo
elsewhere on my system during the build process, the hole is open
again.

As long as you're running an untrusted script on your system, there's
infinitely many other possibilities. An rm -rf ~/* is pretty damaging
and doesn't need sudo.

Allesandro is spot on.

James

Reply via email to