Why is sarus requiring root permissions for things that are outside of sarus?

[haampie]

#0   checkThatPathIsRootOwned at "SecurityChecks.cpp":78 Path "/home/harmen/spack/opt/spack/linux-ubuntu22.10-zen2/gcc-12.2.0/squashfs-4.5.1-kyy4hxwwoqqwhrws35zhcgcqcmn56yah/bin/mksquashfs" must be owned by root in order to prevent other users from tampering its contents. Found uid=1000, gid=1000.

Why?

[Madeeks]

Hi @haampie,
the intention of the feature, as part of the security checks, is to reduce the possibility of exploits through 3rd party binaries, which in several cases are executed with root privileges by Sarus.

Notice that the specific constraint you are referring to (root ownership of mksquashfs) was relaxed in version 1.5.2, since mksquashfs is only used by unprivileged commands.