# from David Cantrell
# on Thursday 18 October 2007 15:47:
>> That does of course mean that any user can run any command at all as
>> root, passwordlessly: all she has to do is create a makefile ...
>> [this] isn't suitable in environments where the purpose of
>> the sudoers restrictions is because you don't completely trust all
>> of your users.
>
>Nigh-on all useful applications (at least those of the sort you might
>want someone to run using sudo) have some way of executing something
>else or changing a file's contents. I treat sudo as a convenience for
>trusted users, and nothing else. If I don't trust you, you don't get
>sudo at all.
Yes.
And now, from the Portland version of this discussion...
# from Michael:
>Eric Wilhelm wrote:
>> # from Michael G Schwern on Thursday 18 October 2007 10:57:
>>
>>> # Eric wrote:
>>>> Note Abigail's method of using a dedicated, unprivileged user to
>>>> install code from CPAN. Then the only files at risk are your perl
>>>> tree.
>>>
>>> That's troublesome because you then have to have different bin and
>>> man paths and make sure PATH and MANPATH are all set up and oh god
>>> the burning.
>>
>> Well, yeah. Too bad the install is done via `make install`. Perhaps
>> adding a stow step to cpan.pm or something would make that easier.
>The install step is configurable and I don't think there's anything
>stopping you from saying... "make install DESTDIR=/usr/local/stow &&
>stow ..."
And `sudo stow` (or xstow) might actually be safe. AFAIK, the most it
would do wrong would be to replace a symlink. (No, it is still not
bulletproof because, after all, it is installing arbitrary Perl code.)
I'm not sure I see how to set CPAN.pm to use the "&& sudo stow ..." in
the install command though. Michael, are you sure that wasn't wishful
thinking? (We could have a wrapper do it, but we can't just put an &&
in the 'make_install_make_command' and 'mbuild_install_build_command'.)
--Eric
--
A counterintuitive sansevieria trifasciata was once literalized
guiltily.
--Product of Artificial Intelligence
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
