I'd like to install software from source (e.g., third-party GitHub repos) to my machine. Generally /usr/local/bin and /usr/local/src are for non-distribution-specific software, right?
Taking ownership of /usr/local seems risky: anything running with my privileges could make nefarious changes to executables in /usr/local/bin, or to sources in /usr/local/src.
But the alternative, building and installing as root (sudo), doesn't make sense to me. GitHub warns against running git as root. Even if I copied the sources from a local repo elsewhere, I'd have to run make and make install as sudo, meaning the software I'm installing could hijack the rest of my machine.
I could just put everything in /home, but that seems like a cop-out — isn't this what /usr/local is for?
Best Answer
Don't take ownership of
/usr/local. Usesudoto install software. But use your own account to build it.Why not take ownership of
/usr/local? You nailed it. That would allow any program running on your account to write there. Against a malicious program, you've lost anyway — infecting a local account is the big step, escalating to root isn't difficult (e.g. by piggybacking on the next time you runsudo). But against a badly configured program, it's better not to have writable bits in the system-wide directories.As for the choice between
/usr/localand your home directory: your home directory is for things you only want for your account,/usr/localis for things that are installed system-wide.