This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Running GCC as root (was Re: [PATCH - ping] Don't unlink /dev/nullon darwin)

On Mon, Feb 14, 2005 at 09:59:36AM -0800, Zack Weinberg wrote:
>> The second patch is a possible general stopgap to prevent this sort of
>> scenario from causing damage in the future.  It is a very big hammer,
>> and I recognize that it may break stuff, but I am nonetheless deadly
>> serious about proposing it.

Daniel Jacobowitz <> writes:
> I think that forbidding gcc from running as root is a hideously bad
> idea.  That's site policy.  And it will break everyone else's make
> install that runs gcc.  And it will break lots of Debian package builds
> because fakeroot will trigger it.

Paul Brook <> writes:
> Because it will break every [arguably buggy] install/make script
> which ends up running the compiler. I know running gcc as root is
> bad practice, but I can think of semi-legitimate reasons for doing
> so, especially on sandbox systems.  Even more so for the
> preprocessor.
> I guess I'd be a bit happier with a -frun-as-root option to override
> the check.

Where I'm coming from is, this (running gcc as root) *was* just bad
practice, and/or a matter of site policy, up till someone found a
scenario where a legitimate invocation caused breakage when run as
root -- and not breakage that we have any way of fixing, since it
boils down to a bug in a vendor assembler.  At that point it becomes
something that should be disallowed, IMO.

Yes, this causes massive breakage.  Well, (a) all examples so far have
been cases where there are arguable bugs in the makefiles/scripts, and
(b) we're bumping the major version number; now is the time for
massive breakage.  Also, I don't think anyone has actual data on how
widespread the breakage would be.  (Feel free to speak up if you know,
or can do experiments and find out.)

The check was placed in toplev.c instead of gcc.c precisely because
there are genuine needs to run the preprocessor (i.e. gcc -E) as root.

I can see an argument for -frun-as-root, but I can also see an
argument that that will just cause people to patch -frun-as-root into
all their buggy makefiles rather than fixing them properly.  Also, if
we're doing this at all, it ought to be done very early in the
process's lifetime -- putting the check after the command line is
parsed may well be too late for some breakage scenarios, e.g. if
processing the command line causes us to open and truncate some file.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]