Badly written RPM .spec files (or even well-written ones with a typo) can do improper things such as:
- Install directly to the running system instead of to a sandbox
- Leave junk on the filesystem
- Accidentally run nasty commands such as:
rm -rf ${RPM_BUILD_ROOT}
There is no part of the RPM build process that actually needs root access. So, we should follow the standard procedure of “If it doesn’t need root permission, it doesn’t run as root” when building RPMs.
This avoids nasty accidents and surprises.