From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=6278=JS=redhat.com=josmyers@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by sourceware.org (Postfix) with ESMTPS id 644A43858C35
	for <gcc-patches@gcc.gnu.org>; Fri,  9 Feb 2024 20:07:37 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 644A43858C35
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 644A43858C35
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1707509258; cv=none;
	b=RjoJM7JWqvMYFGJDsXOR+9nysgjMlSd9xzrx3yNlbSH7Lr69SDnOFEmNykftI/8sei6D7j/Z9Y8HAKjOO8u71d5UZkvlJLCYUuR1LOmQjooFMQoZ9pA6iZ/MoiUwaoo7uMNDKO4QzT1yiskL4P6ZzBaGhaykM/8MdyztSOq5b2A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1707509258; c=relaxed/simple;
	bh=exJ5lwFATlb8wrdWisfNyYWm5DCMmiwy8CP2Tpdl4A8=;
	h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=k1awkYPyOtwOFT+NEKS0pbULs+IHUKyGjPHSkxdX60p0oLZs66ASN0yqXrLxObMCS8ZGZBdy9UBhq2yiC8q75m4JkIZILiTOSXnLAXPHAcOBCofAFjD70WggNL2+l6inUQpSTnehURJ/O+/KwkgU1oaZP/AcOXPdhwuqpyq13yA=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1707509256;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=bBDTZ/FEtcZfph6yu4GJ7EBPqGIc1mpnlAb9FvxI6s4=;
	b=f7HyrJ+3yrtYCOou2WVyXDTuBrAoIrp5wEZgUQ2Owj9rPMv/UiSYHHusl1M7zH7z3jGfdD
	kNYQ8+3zE4b5x8t0kXPYuIsrW6q1J82M1VU0i9w1lEKkwCKsT0mr6kXeVxj5RnyCFAulzJ
	z49Q5SmY2AXL5+UXfGYNZK5ODfh3qj8=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-101-rnzVRFdGOsSUYfkzqXZ7FA-1; Fri, 09 Feb 2024 15:07:35 -0500
X-MC-Unique: rnzVRFdGOsSUYfkzqXZ7FA-1
Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-33b14a51861so530660f8f.0
        for <gcc-patches@gcc.gnu.org>; Fri, 09 Feb 2024 12:07:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707509254; x=1708114054;
        h=mime-version:references:message-id:in-reply-to:subject:cc:to:from
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bBDTZ/FEtcZfph6yu4GJ7EBPqGIc1mpnlAb9FvxI6s4=;
        b=GXndqkOPsqpS023BQsGVXGJtqkZmNsstWJJsZJKVu5HLikQ2FtXKogODpQQgJSKqcZ
         XfgYGto+h3P2DSr+/WUR2G5lvXneZ67SV3prwO4OKB4NMLLulq2EpdqdMdXJiH8grrIa
         RFa8sZySe/f71hprcZwQc1A0r4Kvpz1yb08e4UfLMszCflWTfGZrheHbA0oa7BlRU7kr
         KP/1mssv/DnL7A60YhJThuG+XMfil+RpqQORWMN1VMBLilXZPKCDGeqkeMPSbfkXVDHA
         EkOWPkeV2VB2u13KxVqSgbEdIkccCc79Vlz4vH/cy6GlTOVyL3mH2uXpThWiw6A5zdm1
         TWsA==
X-Forwarded-Encrypted: i=1; AJvYcCWpex+mCu/XUmdXjhFcmdIK3m5NnOE0cY7myankFMyu9Xrt2sustOHdDvQBA1POEhq7h7Cu/4t52bwG+Ih88+WOVe1ATFNNHA==
X-Gm-Message-State: AOJu0YyUI97Ldd0qe09sV/390zHlwuGhsHTsh9RjHdB1B/Wr5rW+ZdiX
	aBNW+eg0RBbULTs6mFsZ20QVscnBnDY4m5te/yQJ569ytzs6xM58/1rjABr0qccVW9i3HErZ1h9
	jaafT18ruVMNu88C5Q51SLU9WQqcBk2c68AWGRR71ybM8gamevRFRHqc=
X-Received: by 2002:a5d:5346:0:b0:33b:60fa:2d3a with SMTP id t6-20020a5d5346000000b0033b60fa2d3amr40234wrv.39.1707509254497;
        Fri, 09 Feb 2024 12:07:34 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFGDyBiAl0BtUCSn5tMTYAYdpT90zZGWiRE3Q2x2u6NJk1+ZvOFT2/xbEGf9NyUJCm7yzLAeA==
X-Received: by 2002:a5d:5346:0:b0:33b:60fa:2d3a with SMTP id t6-20020a5d5346000000b0033b60fa2d3amr40221wrv.39.1707509254185;
        Fri, 09 Feb 2024 12:07:34 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCVfAV3g2WxLOJe++31mIvrSASaxX8oROjZ0OZjt9GGaTM5+cR91CWLal4yqSR7+gjQkj5ooCmRbi7s0hG5dRT9+mZX0ZTHxVFytqbnOCz0uOwGZw83SRXHzhd2i79QsIfZbTSAn47kSEKv+1PIozzUlZ5YO4K++2GeW0ahIQWPrNachW5WuI8ILvg==
Received: from digraph.polyomino.org.uk (digraph.polyomino.org.uk. [2001:8b0:bf73:93f7::51bb:e332])
        by smtp.gmail.com with ESMTPSA id q1-20020adfb181000000b0033b68556c38sm77554wra.70.2024.02.09.12.07.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 Feb 2024 12:07:33 -0800 (PST)
Received: from jsm28 (helo=localhost)
	by digraph.polyomino.org.uk with local-esmtp (Exim 4.95)
	(envelope-from <josmyers@redhat.com>)
	id 1rYX9E-000Xkf-Ms;
	Fri, 09 Feb 2024 20:06:56 +0000
Date: Fri, 9 Feb 2024 20:06:56 +0000 (UTC)
From: Joseph Myers <josmyers@redhat.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
cc: Martin Jambor <mjambor@suse.cz>, 
    Richard Biener <richard.guenther@gmail.com>, 
    David Edelsohn <dje.gcc@gmail.com>, GCC Patches <gcc-patches@gcc.gnu.org>, 
    Carlos O'Donell <carlos@redhat.com>
Subject: Re: [RFC] GCC Security policy
In-Reply-To: <1555aa2f-1e02-45d9-897b-a9f8cb4fb223@gotplt.org>
Message-ID: <6272b3-b3c0-5f1f-64f3-cdccc0bd2e16@redhat.com>
References: <CAGWvny=z1yotE-6geJL1j80qSeZU67h-ZENPowM=BSNm0nHOVA@mail.gmail.com> <CAFiYyc0QW53dapAXy1b8A8XnFqOypWaG2veVkruv2Fi_DyekBg@mail.gmail.com> <5dab0019-a28e-f6b1-c822-9217d4d2f59f@gotplt.org> <CAFiYyc3nQ3ihNvUL1-URVn74ExMPXsxcbFq5SZ6ESM5WZEK40g@mail.gmail.com>
 <ri6ttmhzlzm.fsf@virgil.suse.cz> <aea34e30-1a90-4d70-90a0-6684a25d33a9@gotplt.org> <d917d6c-a088-f914-9d68-3ea1258bb37@redhat.com> <1555aa2f-1e02-45d9-897b-a9f8cb4fb223@gotplt.org>
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

On Fri, 9 Feb 2024, Siddhesh Poyarekar wrote:

> > I think disallowing running as root would be a big problem in practice -
> > the typical problem case is when people build software as non-root and run
> > "make install" as root, and for some reason "make install" wants to
> > (re)build or (re)link something.
> 
> Isn't that a problematic practice though?  Or maybe have those invocations be
> separated out as CC_ROOT?

Ideally dependencies would be properly set up so that everything is built 
in the original build, and ideally there would be no need to relink at 
install time (I'm not sure of the exact circumstances in which it might be 
needed, or on what OSes to e.g. encode the right library paths in final 
installed executables).  In practice I think it's common for some building 
to take place at install time.

There is a more general principle here of composability: it's not helpful 
for being able to write scripts or makefiles combining invocations of 
different utilities and have them behave predictably if some of those 
utilities start making judgements about whether it's a good idea to run 
them in a particular environment rather than just doing their job 
independent of irrelevant aspects of the environment.  The semantics of 
invoking "gcc" have nothing to do with whether it's run as root; it should 
never need to look up what user it's running as at all.  (And it's 
probably also a bad idea for lots of separate utilities to gain their own 
ways to run in a restricted environment, for similar reasons; rather than 
teaching "gcc" a way to create a restricted environment itself, ensure 
there are easy-to-use more general utilities for running arbitrary 
programs on untrusted input in a contained environment.)

-- 
Joseph S. Myers
josmyers@redhat.com