1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 07/05/2012 06:23 AM, Matthew Marlowe wrote: |
5 |
>> The Linux kernel should not and really must not be built as root. |
6 |
>> This is neither supported nor recommended nor tested by upstream. |
7 |
>> You may recall there was a kernel build system bug which ran -rf / |
8 |
>> which would be bad if you built as root. |
9 |
>> |
10 |
>> The administrator usually has a normal user account somewhere. Use |
11 |
>> that to build. |
12 |
>> |
13 |
> |
14 |
> Maybe it's just the sysadmin in me, and being used to logging into |
15 |
> hundreds of boxes where the only non-root accounts are dedicated to |
16 |
> specifics apps which have specific reasons to limit their security |
17 |
> access (nginx/etc), but the concept that simply compiling a kernel as |
18 |
> root being a dangerous operation -- seems twisted. From a system |
19 |
> reliability point of view, compiling a kernel should be something I |
20 |
> can do on all boxes when if needed and the only account that I can |
21 |
> ensure exists on all boxes is root. |
22 |
> |
23 |
> Still, I guess it makes sense from the perspective of the kernel |
24 |
> developers and we're stuck with that, although -- the gloating over |
25 |
> 'rm -rf' seems overdone. |
26 |
> |
27 |
> In any case, if we must go down this road..than the proper solution is |
28 |
> to treat the kernel like any other security sensitive app. Create a |
29 |
> new designated user for compiling kernels - call it 'kernel' and over |
30 |
> time we'll grow used to it being on all boxes. We can adjust our |
31 |
> automated kernel building scripts to su to the kernel user before |
32 |
> issuing make commands/etc and the makefile can terminate abnormally if |
33 |
> it detects it is being run from any other user than 'kernel'. |
34 |
> |
35 |
> |
36 |
portage already has a portage user which is used to build (or pretty |
37 |
much do) everything else if you set FEATURES="userpriv usersync |
38 |
usersandbox" so do we really need a kernel user to build the kernel? How |
39 |
about a kde user to build kde? I for one do not need a new user on my |
40 |
system every time I want to build something new. For all I care, build |
41 |
as nobody, but adding a kernel user is ridiculous. |
42 |
|
43 |
- -Zero |
44 |
|
45 |
-----BEGIN PGP SIGNATURE----- |
46 |
Version: GnuPG v2.0.19 (GNU/Linux) |
47 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
48 |
|
49 |
iQIcBAEBAgAGBQJP9Z6OAAoJEKXdFCfdEflKhMsQAIBaqxWhRzkRmdYGajqItyKV |
50 |
DHAIE6LyY9lQ08rHV8eWXi/lKjUamM22wRrvOiHg/z0Cwu1shHgQtsuxJZZ3bJ6W |
51 |
hkvNLMOEkUaGlWFwhwYfUKWXDgS01eJc7OAF63Vxfgq+F8kpdM5SajeAVh+6XRp6 |
52 |
ea2NB1ywmqChqXc5M/ZkA28Y2IzT8hyrdiqFG5n0d63W8vt39kTgBpNkrJvoBEbh |
53 |
s7Fpmli+RTlR8bGjYVyAuimUQfL3R+GulbI+5JEseVCzCs8VeoY/Ab0s0XctA+hx |
54 |
LRa1SzUG2rP8UjMoVZYFnxvVp0YX76t3b50qL+USyq0VDdEeoi4XzxMzVcKnkkb7 |
55 |
lBtlkp4IwsxC9NfDb2aYM5iStGo1nTSJ/nK6XIbl8ePYCh2iuq9mFFrZAURUUqpS |
56 |
hdd21VchpyC2exuvg1tImmddetiPE0aiwQUqAOVQEwIZ/ViWDdRCjkk7sN3y039A |
57 |
it/Ddr5DGe7P/TzPq2Q5mNlaonVbGrqz5dqObfky0oYzqHoRb06+PGq1fjNXWx/s |
58 |
WtqnaJHH86kol/AIsMpN/0FRQ2bGzDibG3VLezjklpmxczPqq9CQWuYzRqRw5q57 |
59 |
9/8LO7aPsEAIW/7+Y+pe2asTI1ZfUJIUsmDvQqZKA2oeJ3kqa4dtLyqv2bgfAi8R |
60 |
DAV8uC+2xbRFlas47b7F |
61 |
=NhiX |
62 |
-----END PGP SIGNATURE----- |