Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo User (http://www.linux-archive.org/gentoo-user/)
-   -   sudo in kernel config ? (http://www.linux-archive.org/gentoo-user/425672-sudo-kernel-config.html)

Stéphane Guedon 09-11-2010 08:24 AM

sudo in kernel config ?
 
few months ago, I read linux kernel in a nutschell, and the author wrote we
shouldn't do kernel operations (config and build) as root.

Is sudo (or kdesudo ?) a good replacement to that ?

Kdesudo works good to have xconfig, which is more comfortable that menuconfig.
But is it a good manner of making things ?
--
Stéphane Guedon
page web : http://www.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
clé publique gpg : http://www.22decembre.eu/downloads/Stephane-Guedon.asc

Albert Hopkins 09-11-2010 09:46 AM

sudo in kernel config ?
 
On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> few months ago, I read linux kernel in a nutschell(sic), and the author wrote we
> shouldn't do kernel operations (config and build) as root.

I call bullsh*t. I've been compiling kernels for 17 years and for the
most part have done it as root without any problems.

What the author is saying is that, to an extent, in theory no one should
compile anything as root, or really do anything non-system-adminly as
root. You should only do as root what is critically necessary (e.g.
make install) as root.

In a perfect, tidy world we'd all do that. This world, however does not
exist. Even portage, by default does configure and make as root (albeit
in a sandbox so it is safe(r).

What the author means is theoretically the config/compile phase could
unintentionally cause some kind of harm to your system. In practice I
have never seen this or heard of it. The kernel devs are bright enough
to ensure that the compilation does nothing outside the source tree
itself.

It's a good guideline but, like the government's dietary guidelines, not
ones I intend to follow religiously.

> Is sudo (or kdesudo ?) a good replacement to that ?

sudo runs things as root, so effectively you've done nothing but add a
password prompt to the mix.

Gentoo actually makes this a bit more difficult, because usually one
uses portage to install the kernel sources, and they get installed as
root-owned, and only root has write access to the kernel tree.

Some people, such as myself, use kernel sources outside of portage (I
follow a git repo) and do so as a non-root user. In this case the
kernel tree is not owned by root and the config/compile is easily done
as a non-root user.

If you are super-paranoid. You can make a non-root copy
of /usr/src/linux and compile it as a non-root user.

But there really isn't any point in using sudo. It's effectively doing
the same thing that you are trying to avoid.

Stéphane Guedon 09-11-2010 10:41 AM

sudo in kernel config ?
 
Le Saturday 11 September 2010 11:46:59, Albert Hopkins a écrit :
> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > few months ago, I read linux kernel in a nutschell(sic), and the author
> > wrote we shouldn't do kernel operations (config and build) as root.
>
> I call bullsh*t. I've been compiling kernels for 17 years and for the
> most part have done it as root without any problems.
>
> What the author is saying is that, to an extent, in theory no one should
> compile anything as root, or really do anything non-system-adminly as
> root. You should only do as root what is critically necessary (e.g.
> make install) as root.
>
> In a perfect, tidy world we'd all do that. This world, however does not
> exist. Even portage, by default does configure and make as root (albeit
> in a sandbox so it is safe(r).
>
> What the author means is theoretically the config/compile phase could
> unintentionally cause some kind of harm to your system. In practice I
> have never seen this or heard of it. The kernel devs are bright enough
> to ensure that the compilation does nothing outside the source tree
> itself.
>
> It's a good guideline but, like the government's dietary guidelines, not
> ones I intend to follow religiously.
>
> > Is sudo (or kdesudo ?) a good replacement to that ?
>
> sudo runs things as root, so effectively you've done nothing but add a
> password prompt to the mix.
>
> Gentoo actually makes this a bit more difficult, because usually one
> uses portage to install the kernel sources, and they get installed as
> root-owned, and only root has write access to the kernel tree.
>
> Some people, such as myself, use kernel sources outside of portage (I
> follow a git repo) and do so as a non-root user. In this case the
> kernel tree is not owned by root and the config/compile is easily done
> as a non-root user.
>
> If you are super-paranoid. You can make a non-root copy
> of /usr/src/linux and compile it as a non-root user.
>
> But there really isn't any point in using sudo. It's effectively doing
> the same thing that you are trying to avoid.

I am not paranoid anymore, just asking to knowing persons...
Ok ! thanks for your answer !
--
Stéphane Guedon
page web : http://www.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
clé publique gpg : http://www.22decembre.eu/downloads/Stephane-Guedon.asc

Volker Armin Hemmann 09-11-2010 01:43 PM

sudo in kernel config ?
 
On Saturday 11 September 2010, Stéphane Guedon wrote:
> Le Saturday 11 September 2010 11:46:59, Albert Hopkins a écrit :
> > On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > > few months ago, I read linux kernel in a nutschell(sic), and the author
> > > wrote we shouldn't do kernel operations (config and build) as root.
> >
> > I call bullsh*t. I've been compiling kernels for 17 years and for the
> > most part have done it as root without any problems.
> >
> > What the author is saying is that, to an extent, in theory no one should
> > compile anything as root, or really do anything non-system-adminly as
> > root. You should only do as root what is critically necessary (e.g.
> > make install) as root.
> >
> > In a perfect, tidy world we'd all do that. This world, however does not
> > exist. Even portage, by default does configure and make as root (albeit
> > in a sandbox so it is safe(r).
> >
> > What the author means is theoretically the config/compile phase could
> > unintentionally cause some kind of harm to your system. In practice I
> > have never seen this or heard of it. The kernel devs are bright enough
> > to ensure that the compilation does nothing outside the source tree
> > itself.
> >
> > It's a good guideline but, like the government's dietary guidelines, not
> > ones I intend to follow religiously.
> >
> > > Is sudo (or kdesudo ?) a good replacement to that ?
> >
> > sudo runs things as root, so effectively you've done nothing but add a
> > password prompt to the mix.
> >
> > Gentoo actually makes this a bit more difficult, because usually one
> > uses portage to install the kernel sources, and they get installed as
> > root-owned, and only root has write access to the kernel tree.
> >
> > Some people, such as myself, use kernel sources outside of portage (I
> > follow a git repo) and do so as a non-root user. In this case the
> > kernel tree is not owned by root and the config/compile is easily done
> > as a non-root user.
> >
> > If you are super-paranoid. You can make a non-root copy
> > of /usr/src/linux and compile it as a non-root user.
> >
> > But there really isn't any point in using sudo. It's effectively doing
> > the same thing that you are trying to avoid.
>
> I am not paranoid anymore, just asking to knowing persons...
> Ok ! thanks for your answer !

well, some years ago someone made a mistake causing some people doing make as
root loosing /dev/null or something like that. But not even everybody was hit.

/me prefers loosing /dev/null over having /home/$USER overwritten.

Albert Hopkins 09-11-2010 03:53 PM

sudo in kernel config ?
 
On Sat, 2010-09-11 at 05:46 -0400, Albert Hopkins wrote:
> In a perfect, tidy world we'd all do that. This world, however does
> not
> exist. Even portage, by default does configure and make as root
> (albeit
> in a sandbox so it is safe(r).

I suppose one could compile the kernel sources as root but inside
sandbox, though I've never tried that.

Nikos Chantziaras 09-11-2010 05:59 PM

sudo in kernel config ?
 
On 09/11/2010 11:24 AM, Stéphane Guedon wrote:

few months ago, I read linux kernel in a nutschell, and the author wrote we
shouldn't do kernel operations (config and build) as root.

Is sudo (or kdesudo ?) a good replacement to that ?

Kdesudo works good to have xconfig, which is more comfortable that menuconfig.
But is it a good manner of making things ?


Why sudo? Simply chown -R the whole kernel tree. Only the
modules_install and install targets will need root.


I've done it like this for as long as I can remember.

Alan McKinnon 09-11-2010 08:18 PM

sudo in kernel config ?
 
Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert
Hopkins did opine thusly:

> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > few months ago, I read linux kernel in a nutschell(sic), and the author
> > wrote we shouldn't do kernel operations (config and build) as root.
>
> I call bullsh*t. I've been compiling kernels for 17 years and for the
> most part have done it as root without any problems.

Same here.

The root user (sometimes portage) creates /usr/src/linux-*

Someone tell me again exactly how user alan is supposed to build those
sources?


--
alan dot mckinnon at gmail dot com

Etaoin Shrdlu 09-11-2010 08:28 PM

sudo in kernel config ?
 
On Sat, 11 Sep 2010 15:35:58 -0500 Dale <rdalek1967@gmail.com> wrote:

> If they are accessible by a user, couldn't a user then edit or add
> something that would then cause a security problem? If they can edit
> them and no one know it, then root comes along and builds a shiney new
> kernel with a really nice security hole.

This was actually a potential risk once upon a time:

http://attrition.org/security/advisory/gobbles/GOBBLES-16.txt

Nikos Chantziaras 09-11-2010 08:34 PM

sudo in kernel config ?
 
On 09/11/2010 11:18 PM, Alan McKinnon wrote:

Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert
Hopkins did opine thusly:


On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:

few months ago, I read linux kernel in a nutschell(sic), and the author
wrote we shouldn't do kernel operations (config and build) as root.


I call bullsh*t. I've been compiling kernels for 17 years and for the
most part have done it as root without any problems.


Same here.

The root user (sometimes portage) creates /usr/src/linux-*

Someone tell me again exactly how user alan is supposed to build those
sources?


chown -R

Dale 09-11-2010 08:35 PM

sudo in kernel config ?
 
Alan McKinnon wrote:

Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert
Hopkins did opine thusly:



On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:


few months ago, I read linux kernel in a nutschell(sic), and the author
wrote we shouldn't do kernel operations (config and build) as root.


I call bullsh*t. I've been compiling kernels for 17 years and for the
most part have done it as root without any problems.


Same here.

The root user (sometimes portage) creates /usr/src/linux-*

Someone tell me again exactly how user alan is supposed to build those
sources?




If they are accessible by a user, couldn't a user then edit or add
something that would then cause a security problem? If they can edit
them and no one know it, then root comes along and builds a shiney new
kernel with a really nice security hole.


Glad only root can get to the sources. ;-)

Dale

:-) :-)


All times are GMT. The time now is 04:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.