It is important to bear in mind that many files within an XMake project contain commands which are EXECUTED, at build time. Write access to XMake project directories should be carefully guarded.
By default, the following option is set in XMake.conf:
XMAKE_AUTODETECT_SOURCE_FILES=1 # auto-detection enabled
Source file auto-detection is the most efficient mode
of operation, since it requires less maintenance of
makefiles.
If source files contain commands to be executed by
xmake, enabling XMAKE_AUTODETECT_SOURCE_FILES assumes
that all source files can be TRUSTED.
In the case of the 'c' XMExtension, this is not an
issue since .c source files are only compiled and do not
contain commands to execute at build time. In the case
of the 'phpc' XMExtension, however, .phpc files contain
commands to be executed by PHP to produce output.
Simply disabling XMAKE_AUTODETECT_SOURCE_FILES offers
no security against attack: malicious commands could
just as easily be inserted directly into XMake.conf, or
any makefiles, as well as into source files.
Disabling XMAKE_AUTODETECT_SOURCE_FILES may be useful
to provide a level of administrative control in cases
where write access to XMake project directories is
shared by a group of developers and malicious attack is
not an issue. In this case, source must manually be
added to the special makefile: 'XM_sources.mkhs'.
XMake should never be run as root, unless root has
exclusive write access to the project directory and to
$(XMAKE_HOME), as well as to external XMake project
directories, if XMAKE_RECURSION=1.