Why is it bad to build RPMs as root?

This page contains a prominent warning:

Important

Never build RPMS as root.

Why is it bad to build RPMs as root? Is it the possibility of overwriting some files? Are there file permissions problems?


Solution 1:

Badly written RPM .spec files (or even well-written ones with a typo) can do improper things such as:

  • Install directly to the running system instead of to a sandbox
  • Leave junk on the filesystem
  • Accidentally run nasty commands such as: rm -rf ${RPM_BUILD_ROOT}

There is no part of the RPM build process that actually needs root access. So, we should follow the standard procedure of "If it doesn't need root permission, it doesn't run as root" when building RPMs.

This avoids nasty accidents and surprises.

Solution 2:

mock for fedora is pretty nice, too. If it'll build in mock, chances are it's a pretty clean RPM.

Solution 3:

Generally you should never use the root user except you really need the rights. But you are right the main problem would be that 'rpmbuild' would execute nearly everything you wrote into a spec file. (override files, create users, delete files etc.).

Edit:

As a side note I would suggest to take a look at the openSUSE Build Service which makes building rpms for different distributions really easy. (It can also set up as a local instance.)