[clug] Creating non-root perl owner to run CPAN

Michael James Michael.James at csiro.au
Tue Mar 7 05:01:44 GMT 2006

There are a number of Linux language packages
 that are self-extending such as Perl, python, and R,

For example, installing the BioConductor package
 is easiest from within R,  just run R,
 source a URL to download the script,
 then run the function thus created.
Lots happens, and hey presto, a new R library!

Traditionally everything is owned and maintained by root,
 but being a sysadmin (paid professional paranoid)
 I created a user  "rowner"  and group  "rusers"
 and  "chown -R"  the R base directory  "/usr/lib/R"
Now I su to rowner before doing the above,
 and the system is isolated from any malicious code
 somewhere in R's contributed package libraries.

So much for a language I don't know (or like or trust).
What about the language I do know, love and trust, Perl?
Su to root,  set dependencies to  "follow",  run CPAN,
  "install Bundle::Evil::RootKit"  and go have a cup of coffee...

There's an awful lot of libraries and contributors...
Do I trust them all?  Historically I've effectively said,
 "Of course!  Anyone who hacks Perl has to be a good-guy!"

Well history aside, maybe it's not such a good idea;
 what do people think of using the R strategy
 for all self extending languages?


Michael James                         michael.james at csiro.au
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166

No matter how much you pay for software,
 you always get less than you hoped.
Unless you pay nothing, then you get more.

More information about the linux mailing list