[gentoo-user] sudo in kernel config ?

[gentoo-user] sudo in kernel config ?

[Stéphane Guedon]

[-- Attachment #1: Type: Text/Plain, Size: 531 bytes --]

few months ago, I read linux kernel in a nutschell, and the author wrote we 
shouldn't do kernel operations (config and build) as root.

Is sudo (or kdesudo ?) a good replacement to that ?

Kdesudo works good to have xconfig, which is more comfortable that menuconfig. 
But is it a good manner of making things ?
-- 
Stéphane Guedon
page web : http://www.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
clé publique gpg : http://www.22decembre.eu/downloads/Stephane-Guedon.asc

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] sudo in kernel config ?

[Albert Hopkins]

On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> few months ago, I read linux kernel in a nutschell(sic), and the author wrote we 
> shouldn't do kernel operations (config and build) as root.

I call bullsh*t.  I've been compiling kernels for 17 years and for the
most part have done it as root without any problems.

What the author is saying is that, to an extent, in theory no one should
compile anything as root, or really do anything non-system-adminly as
root.  You should only do as root what is critically necessary (e.g.
make install) as root.

In a perfect, tidy world we'd all do that.  This world, however does not
exist.  Even portage, by default does configure and make as root (albeit
in a sandbox so it is safe(r). 

What the author means is theoretically the config/compile phase could
unintentionally cause some kind of harm to your system.  In practice I
have never seen this or heard of it.  The kernel devs are bright enough
to ensure that the compilation does nothing outside the source tree
itself.

It's a good guideline but, like the government's dietary guidelines, not
ones I intend to follow religiously.

> Is sudo (or kdesudo ?) a good replacement to that ?

sudo runs things as root, so effectively you've done nothing but add a
password prompt to the mix.

Gentoo actually makes this a bit more difficult, because usually one
uses portage to install the kernel sources, and they get installed as
root-owned, and only root has write access to the kernel tree.

Some people, such as myself, use kernel sources outside of portage (I
follow a git repo) and do so as a non-root user.  In this case the
kernel tree is not owned by root and the config/compile is easily done
as a non-root user.

If you are super-paranoid.  You can make a non-root copy
of /usr/src/linux and compile it as a non-root user.

But there really isn't any point in using sudo.  It's effectively doing
the same thing that you are trying to avoid.

Re: [gentoo-user] sudo in kernel config ?

[Stéphane Guedon]

[-- Attachment #1: Type: Text/Plain, Size: 2464 bytes --]

Le Saturday 11 September 2010 11:46:59, Albert Hopkins a écrit :
> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > few months ago, I read linux kernel in a nutschell(sic), and the author
> > wrote we shouldn't do kernel operations (config and build) as root.
> 
> I call bullsh*t.  I've been compiling kernels for 17 years and for the
> most part have done it as root without any problems.
> 
> What the author is saying is that, to an extent, in theory no one should
> compile anything as root, or really do anything non-system-adminly as
> root.  You should only do as root what is critically necessary (e.g.
> make install) as root.
> 
> In a perfect, tidy world we'd all do that.  This world, however does not
> exist.  Even portage, by default does configure and make as root (albeit
> in a sandbox so it is safe(r).
> 
> What the author means is theoretically the config/compile phase could
> unintentionally cause some kind of harm to your system.  In practice I
> have never seen this or heard of it.  The kernel devs are bright enough
> to ensure that the compilation does nothing outside the source tree
> itself.
> 
> It's a good guideline but, like the government's dietary guidelines, not
> ones I intend to follow religiously.
> 
> > Is sudo (or kdesudo ?) a good replacement to that ?
> 
> sudo runs things as root, so effectively you've done nothing but add a
> password prompt to the mix.
> 
> Gentoo actually makes this a bit more difficult, because usually one
> uses portage to install the kernel sources, and they get installed as
> root-owned, and only root has write access to the kernel tree.
> 
> Some people, such as myself, use kernel sources outside of portage (I
> follow a git repo) and do so as a non-root user.  In this case the
> kernel tree is not owned by root and the config/compile is easily done
> as a non-root user.
> 
> If you are super-paranoid.  You can make a non-root copy
> of /usr/src/linux and compile it as a non-root user.
> 
> But there really isn't any point in using sudo.  It's effectively doing
> the same thing that you are trying to avoid.

I am not paranoid anymore, just asking to knowing persons...
Ok ! thanks for your answer !
-- 
Stéphane Guedon
page web : http://www.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
clé publique gpg : http://www.22decembre.eu/downloads/Stephane-Guedon.asc

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] sudo in kernel config ?

[Volker Armin Hemmann]

On Saturday 11 September 2010, Stéphane Guedon wrote:
> Le Saturday 11 September 2010 11:46:59, Albert Hopkins a écrit :
> > On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > > few months ago, I read linux kernel in a nutschell(sic), and the author
> > > wrote we shouldn't do kernel operations (config and build) as root.
> > 
> > I call bullsh*t.  I've been compiling kernels for 17 years and for the
> > most part have done it as root without any problems.
> > 
> > What the author is saying is that, to an extent, in theory no one should
> > compile anything as root, or really do anything non-system-adminly as
> > root.  You should only do as root what is critically necessary (e.g.
> > make install) as root.
> > 
> > In a perfect, tidy world we'd all do that.  This world, however does not
> > exist.  Even portage, by default does configure and make as root (albeit
> > in a sandbox so it is safe(r).
> > 
> > What the author means is theoretically the config/compile phase could
> > unintentionally cause some kind of harm to your system.  In practice I
> > have never seen this or heard of it.  The kernel devs are bright enough
> > to ensure that the compilation does nothing outside the source tree
> > itself.
> > 
> > It's a good guideline but, like the government's dietary guidelines, not
> > ones I intend to follow religiously.
> > 
> > > Is sudo (or kdesudo ?) a good replacement to that ?
> > 
> > sudo runs things as root, so effectively you've done nothing but add a
> > password prompt to the mix.
> > 
> > Gentoo actually makes this a bit more difficult, because usually one
> > uses portage to install the kernel sources, and they get installed as
> > root-owned, and only root has write access to the kernel tree.
> > 
> > Some people, such as myself, use kernel sources outside of portage (I
> > follow a git repo) and do so as a non-root user.  In this case the
> > kernel tree is not owned by root and the config/compile is easily done
> > as a non-root user.
> > 
> > If you are super-paranoid.  You can make a non-root copy
> > of /usr/src/linux and compile it as a non-root user.
> > 
> > But there really isn't any point in using sudo.  It's effectively doing
> > the same thing that you are trying to avoid.
> 
> I am not paranoid anymore, just asking to knowing persons...
> Ok ! thanks for your answer !

well, some years ago someone made a mistake causing some people doing make as 
root loosing /dev/null or something like that. But not even everybody was hit.

/me prefers loosing /dev/null over having /home/$USER overwritten.

Re: [gentoo-user] sudo in kernel config ?

[Albert Hopkins]

On Sat, 2010-09-11 at 05:46 -0400, Albert Hopkins wrote:
> In a perfect, tidy world we'd all do that.  This world, however does
> not
> exist.  Even portage, by default does configure and make as root
> (albeit
> in a sandbox so it is safe(r). 

I suppose one could compile the kernel sources as root but inside
sandbox, though I've never tried that.

[gentoo-user] Re: sudo in kernel config ?

[Nikos Chantziaras]

On 09/11/2010 11:24 AM, Stéphane Guedon wrote:
> few months ago, I read linux kernel in a nutschell, and the author wrote we
> shouldn't do kernel operations (config and build) as root.
>
> Is sudo (or kdesudo ?) a good replacement to that ?
>
> Kdesudo works good to have xconfig, which is more comfortable that menuconfig.
> But is it a good manner of making things ?

Why sudo?  Simply chown -R the whole kernel tree.  Only the 
modules_install and install targets will need root.

I've done it like this for as long as I can remember.

Re: [gentoo-user] sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert 
Hopkins did opine thusly:

> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > few months ago, I read linux kernel in a nutschell(sic), and the author
> > wrote we shouldn't do kernel operations (config and build) as root.
> 
> I call bullsh*t.  I've been compiling kernels for 17 years and for the
> most part have done it as root without any problems.

Same here.

The root user (sometimes portage) creates /usr/src/linux-*

Someone tell me again exactly how user alan is supposed to build those 
sources?


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] sudo in kernel config ?

[Etaoin Shrdlu]

On Sat, 11 Sep 2010 15:35:58 -0500 Dale <rdalek1967@gmail.com> wrote:

> If they are accessible by a user, couldn't a user then edit or add 
> something that would then cause a security problem?  If they can edit 
> them and no one know it, then root comes along and builds a shiney new 
> kernel with a really nice security hole.

This was actually a potential risk once upon a time:

http://attrition.org/security/advisory/gobbles/GOBBLES-16.txt

[gentoo-user] Re: sudo in kernel config ?

[Nikos Chantziaras]

On 09/11/2010 11:18 PM, Alan McKinnon wrote:
> Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert
> Hopkins did opine thusly:
>
>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>> few months ago, I read linux kernel in a nutschell(sic), and the author
>>> wrote we shouldn't do kernel operations (config and build) as root.
>>
>> I call bullsh*t.  I've been compiling kernels for 17 years and for the
>> most part have done it as root without any problems.
>
> Same here.
>
> The root user (sometimes portage) creates /usr/src/linux-*
>
> Someone tell me again exactly how user alan is supposed to build those
> sources?

chown -R

Re: [gentoo-user] sudo in kernel config ?

[Dale]

Alan McKinnon wrote:
> Apparently, though unproven, at 11:46 on Saturday 11 September 2010, Albert
> Hopkins did opine thusly:
>
>    
>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>      
>>> few months ago, I read linux kernel in a nutschell(sic), and the author
>>> wrote we shouldn't do kernel operations (config and build) as root.
>>>        
>> I call bullsh*t.  I've been compiling kernels for 17 years and for the
>> most part have done it as root without any problems.
>>      
> Same here.
>
> The root user (sometimes portage) creates /usr/src/linux-*
>
> Someone tell me again exactly how user alan is supposed to build those
> sources?
>
>    

If they are accessible by a user, couldn't a user then edit or add 
something that would then cause a security problem?  If they can edit 
them and no one know it, then root comes along and builds a shiney new 
kernel with a really nice security hole.

Glad only root can get to the sources.  ;-)

Dale

:-)  :-)

[gentoo-user] Re: sudo in kernel config ?

[Nikos Chantziaras]

On 09/11/2010 11:35 PM, Dale wrote:
> Alan McKinnon wrote:
>> Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
>> Albert
>> Hopkins did opine thusly:
>>
>>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>>> few months ago, I read linux kernel in a nutschell(sic), and the author
>>>> wrote we shouldn't do kernel operations (config and build) as root.
>>> I call bullsh*t. I've been compiling kernels for 17 years and for the
>>> most part have done it as root without any problems.
>> Same here.
>>
>> The root user (sometimes portage) creates /usr/src/linux-*
>>
>> Someone tell me again exactly how user alan is supposed to build those
>> sources?
>>
>
> If they are accessible by a user, couldn't a user then edit or add
> something that would then cause a security problem? If they can edit
> them and no one know it, then root comes along and builds a shiney new
> kernel with a really nice security hole.
>
> Glad only root can get to the sources. ;-)

No, any user can't edit them; only the user you assign the files to. If 
you assign them to root, only root can edit them. If you assign them to 
kerneluser, only kerneluser can edit them.

This is Unix 101 :)

Re: [gentoo-user] Re: sudo in kernel config ?

[Dale]

Nikos Chantziaras wrote:
> On 09/11/2010 11:35 PM, Dale wrote:
>> Alan McKinnon wrote:
>>> Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
>>> Albert
>>> Hopkins did opine thusly:
>>>
>>>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>>>> few months ago, I read linux kernel in a nutschell(sic), and the 
>>>>> author
>>>>> wrote we shouldn't do kernel operations (config and build) as root.
>>>> I call bullsh*t. I've been compiling kernels for 17 years and for the
>>>> most part have done it as root without any problems.
>>> Same here.
>>>
>>> The root user (sometimes portage) creates /usr/src/linux-*
>>>
>>> Someone tell me again exactly how user alan is supposed to build those
>>> sources?
>>>
>>
>> If they are accessible by a user, couldn't a user then edit or add
>> something that would then cause a security problem? If they can edit
>> them and no one know it, then root comes along and builds a shiney new
>> kernel with a really nice security hole.
>>
>> Glad only root can get to the sources. ;-)
>
> No, any user can't edit them; only the user you assign the files to. 
> If you assign them to root, only root can edit them. If you assign 
> them to kerneluser, only kerneluser can edit them.
>
> This is Unix 101 :)
>
>

My point was, if the sources are say in the user group, then any user 
can edit them?  Right now, they are in the root group and owned my root 
which for security reasons is a good idea.  That way a regular user 
can't edit or modify the kernel sources.

Dale

:-)  :-)

Re: [gentoo-user] sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 22:28 on Saturday 11 September 2010, Etaoin 
Shrdlu did opine thusly:

> On Sat, 11 Sep 2010 15:35:58 -0500 Dale <rdalek1967@gmail.com> wrote:
> > If they are accessible by a user, couldn't a user then edit or add
> > something that would then cause a security problem?  If they can edit
> > them and no one know it, then root comes along and builds a shiney new
> > kernel with a really nice security hole.
> 
> This was actually a potential risk once upon a time:
> 
> http://attrition.org/security/advisory/gobbles/GOBBLES-16.txt

More like an actual risk all the time. Which is why:

# ls -al /usr/src/
total 2
drwxr-xr-x  3 root root  136 2010-09-01 11:41 .
drwxr-xr-x 17 root root  480 2010-08-23 01:44 ..
-rw-r--r--  1 root root    0 2008-06-17 19:37 .keep
lrwxrwxrwx  1 root root   18 2010-09-01 11:30 linux -> linux-2.6.35-ck-r2
drwxr-xr-x 24 root root 1584 2010-09-01 02:12 linux-2.6.35-ck-r2



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 22:34 on Saturday 11 September 2010, Nikos 
Chantziaras did opine thusly:

> On 09/11/2010 11:18 PM, Alan McKinnon wrote:
> > Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
> > Albert
> > 
> > Hopkins did opine thusly:
> >> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> >>> few months ago, I read linux kernel in a nutschell(sic), and the author
> >>> wrote we shouldn't do kernel operations (config and build) as root.
> >> 
> >> I call bullsh*t.  I've been compiling kernels for 17 years and for the
> >> most part have done it as root without any problems.
> > 
> > Same here.
> > 
> > The root user (sometimes portage) creates /usr/src/linux-*
> > 
> > Someone tell me again exactly how user alan is supposed to build those
> > sources?
> 
> chown -R

I utterly fail to see the point of this prohibition against building as root. 

Sure, it makes sense when I'm installing perl stuff for my users and last 
command is sudo make install. But for everything else?



-- 
alan dot mckinnon at gmail dot com

[gentoo-user] Re: sudo in kernel config ?

[Nikos Chantziaras]

On 09/11/2010 11:49 PM, Dale wrote:
> Nikos Chantziaras wrote:
>> On 09/11/2010 11:35 PM, Dale wrote:
>>> Alan McKinnon wrote:
>>>> Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
>>>> Albert
>>>> Hopkins did opine thusly:
>>>>
>>>>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>>>>> few months ago, I read linux kernel in a nutschell(sic), and the
>>>>>> author
>>>>>> wrote we shouldn't do kernel operations (config and build) as root.
>>>>> I call bullsh*t. I've been compiling kernels for 17 years and for the
>>>>> most part have done it as root without any problems.
>>>> Same here.
>>>>
>>>> The root user (sometimes portage) creates /usr/src/linux-*
>>>>
>>>> Someone tell me again exactly how user alan is supposed to build those
>>>> sources?
>>>>
>>>
>>> If they are accessible by a user, couldn't a user then edit or add
>>> something that would then cause a security problem? If they can edit
>>> them and no one know it, then root comes along and builds a shiney new
>>> kernel with a really nice security hole.
>>>
>>> Glad only root can get to the sources. ;-)
>>
>> No, any user can't edit them; only the user you assign the files to.
>> If you assign them to root, only root can edit them. If you assign
>> them to kerneluser, only kerneluser can edit them.
>>
>> This is Unix 101 :)
>>
>>
>
> My point was, if the sources are say in the user group, then any user
> can edit them? Right now, they are in the root group and owned my root
> which for security reasons is a good idea. That way a regular user can't
> edit or modify the kernel sources.

The group can only write if the files have the group write permission 
set.  Still in Unix 101 domain, hehe :)

[gentoo-user] Re: sudo in kernel config ?

[Nikos Chantziaras]

On 09/11/2010 11:51 PM, Alan McKinnon wrote:
> Apparently, though unproven, at 22:34 on Saturday 11 September 2010, Nikos
> Chantziaras did opine thusly:
>
>> On 09/11/2010 11:18 PM, Alan McKinnon wrote:
>>> Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
>>> Albert
>>>
>>> Hopkins did opine thusly:
>>>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>>>> few months ago, I read linux kernel in a nutschell(sic), and the author
>>>>> wrote we shouldn't do kernel operations (config and build) as root.
>>>>
>>>> I call bullsh*t.  I've been compiling kernels for 17 years and for the
>>>> most part have done it as root without any problems.
>>>
>>> Same here.
>>>
>>> The root user (sometimes portage) creates /usr/src/linux-*
>>>
>>> Someone tell me again exactly how user alan is supposed to build those
>>> sources?
>>
>> chown -R
>
> I utterly fail to see the point of this prohibition against building as root.
>
> Sure, it makes sense when I'm installing perl stuff for my users and last
> command is sudo make install. But for everything else?

Well, running GCC and Make as root raises the same concerns as running 
any other program as root.

In the case of Gentoo, this isn't too important though, since in Gentoo, 
you don't build your software in your home dir and then "sudo make 
install", but portage will run GCC as root anyway.

With other distros, you never run GCC/Make/etc as root.  In Gentoo you 
do, so there's no point in reading too much into this.

Re: [gentoo-user] Re: sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 23:01 on Saturday 11 September 2010, Nikos 
Chantziaras did opine thusly:

> On 09/11/2010 11:49 PM, Dale wrote:
> > Nikos Chantziaras wrote:
> >> On 09/11/2010 11:35 PM, Dale wrote:
> >>> Alan McKinnon wrote:
> >>>> Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
> >>>> Albert
> >>>> 
> >>>> Hopkins did opine thusly:
> >>>>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> >>>>>> few months ago, I read linux kernel in a nutschell(sic), and the
> >>>>>> author
> >>>>>> wrote we shouldn't do kernel operations (config and build) as root.
> >>>>> 
> >>>>> I call bullsh*t. I've been compiling kernels for 17 years and for the
> >>>>> most part have done it as root without any problems.
> >>>> 
> >>>> Same here.
> >>>> 
> >>>> The root user (sometimes portage) creates /usr/src/linux-*
> >>>> 
> >>>> Someone tell me again exactly how user alan is supposed to build those
> >>>> sources?
> >>> 
> >>> If they are accessible by a user, couldn't a user then edit or add
> >>> something that would then cause a security problem? If they can edit
> >>> them and no one know it, then root comes along and builds a shiney new
> >>> kernel with a really nice security hole.
> >>> 
> >>> Glad only root can get to the sources. ;-)
> >> 
> >> No, any user can't edit them; only the user you assign the files to.
> >> If you assign them to root, only root can edit them. If you assign
> >> them to kerneluser, only kerneluser can edit them.
> >> 
> >> This is Unix 101 :)
> > 
> > My point was, if the sources are say in the user group, then any user
> > can edit them? Right now, they are in the root group and owned my root
> > which for security reasons is a good idea. That way a regular user can't
> > edit or modify the kernel sources.
> 
> The group can only write if the files have the group write permission
> set.  Still in Unix 101 domain, hehe :)

And you need write permission on the containing directory to create new files 
or delete existing ones. Nothing to do with the permissions on the file 
itself.

With this, I have moved us on to Unix 101a  :-)



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Re: sudo in kernel config ?

[Dale]

Nikos Chantziaras wrote:
> On 09/11/2010 11:49 PM, Dale wrote:
>> Nikos Chantziaras wrote:
>>> On 09/11/2010 11:35 PM, Dale wrote:
>>>> Alan McKinnon wrote:
>>>>> Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
>>>>> Albert
>>>>> Hopkins did opine thusly:
>>>>>
>>>>>> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
>>>>>>> few months ago, I read linux kernel in a nutschell(sic), and the
>>>>>>> author
>>>>>>> wrote we shouldn't do kernel operations (config and build) as root.
>>>>>> I call bullsh*t. I've been compiling kernels for 17 years and for 
>>>>>> the
>>>>>> most part have done it as root without any problems.
>>>>> Same here.
>>>>>
>>>>> The root user (sometimes portage) creates /usr/src/linux-*
>>>>>
>>>>> Someone tell me again exactly how user alan is supposed to build 
>>>>> those
>>>>> sources?
>>>>>
>>>>
>>>> If they are accessible by a user, couldn't a user then edit or add
>>>> something that would then cause a security problem? If they can edit
>>>> them and no one know it, then root comes along and builds a shiney new
>>>> kernel with a really nice security hole.
>>>>
>>>> Glad only root can get to the sources. ;-)
>>>
>>> No, any user can't edit them; only the user you assign the files to.
>>> If you assign them to root, only root can edit them. If you assign
>>> them to kerneluser, only kerneluser can edit them.
>>>
>>> This is Unix 101 :)
>>>
>>>
>>
>> My point was, if the sources are say in the user group, then any user
>> can edit them? Right now, they are in the root group and owned my root
>> which for security reasons is a good idea. That way a regular user can't
>> edit or modify the kernel sources.
>
> The group can only write if the files have the group write permission 
> set.  Still in Unix 101 domain, hehe :)
>

I know that.  Why would a person want anyone BUT root to be able to 
access and change the kernel sources?  Lets see if asking it this way 
makes more sense.  lol

Dale

:-)  :-)

Re: [gentoo-user] sudo in kernel config ?

[Etaoin Shrdlu]

On Sat, 11 Sep 2010 23:05:22 +0100
Peter Humphrey <peter@humphrey.ukfsn.org> wrote:

> On Saturday 11 September 2010 21:28:13 Etaoin Shrdlu wrote:
> 
> > This was actually a potential risk once upon a time:
> 
> Sorry to drift from the topic, but would somebody please explain to me 
> what a potential risk is? How does it differ from a risk?
> 
> (Not getting at you, Etaoin; the world is just full of woolly thinking 
> that threatens to submerge us all. Or not thinking, in most cases.)

I suppose that a risk is potential because it's possible that it's, um
"risky" only under certain circumstances.
 
If those circumstances are not true for you, there is no risk; if they are
true, there is a risk.

Once you know that there is a risk (thus it's no longer potential, but
it's actual), it still take somebody or something to exploit it to actually
have a problem.

Makes sense?

Re: [gentoo-user] sudo in kernel config ?

[Peter Humphrey]

On Saturday 11 September 2010 21:28:13 Etaoin Shrdlu wrote:

> This was actually a potential risk once upon a time:

Sorry to drift from the topic, but would somebody please explain to me 
what a potential risk is? How does it differ from a risk?

(Not getting at you, Etaoin; the world is just full of woolly thinking 
that threatens to submerge us all. Or not thinking, in most cases.)

-- 
Rgds
Peter.          Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] sudo in kernel config ?

[Peter Humphrey]

On Saturday 11 September 2010 23:03:14 Etaoin Shrdlu wrote:

> Makes sense?

Not convinced. Sorry.

-- 
Rgds
Peter.          Linux Counter 5290, 1994-04-23.

[gentoo-user] Re: [OT] sudo in kernel config ?

[Etaoin Shrdlu]

On Sun, 12 Sep 2010 00:06:04 +0100 Peter Humphrey
<peter@humphrey.ukfsn.org> wrote:

> On Saturday 11 September 2010 23:03:14 Etaoin Shrdlu wrote:
> 
> > Makes sense?
> 
> Not convinced. Sorry.

The Merriam-Webster gives this definition of "potential":

"existing in possibility : capable of development into actuality"

which is exactly what I meant in my original post. I linked a document (if
you read that), and the exploit described there could happen only if one
installed the kernel sources downloaded from kernel.org. Hence the
"potential" in the above meaning: if one did not use those sources,
there was no risk for that specific exploit.

But since you're not convinced, now it would be nice, for my own education,
and perhaps someone else's, that you elaborated a bit more. What exactly do
you find non convincing in that usage of the adjective? How would you
express the concept better?

Re: [gentoo-user] Re: sudo in kernel config ?

[Alan McKinnon]

Apparently, though unproven, at 23:47 on Saturday 11 September 2010, Dale did 
opine thusly:


> >> My point was, if the sources are say in the user group, then any user
> >> can edit them? Right now, they are in the root group and owned my root
> >> which for security reasons is a good idea. That way a regular user can't
> >> edit or modify the kernel sources.
> > 
> > The group can only write if the files have the group write permission
> > set.  Still in Unix 101 domain, hehe :)
> 
> I know that.  Why would a person want anyone BUT root to be able to
> access and change the kernel sources?  Lets see if asking it this way
> makes more sense.  lol


Gentoo does things different. If you read Documentation/* in the kernel 
sources, you will not find there what Gentoo has.

/usr/src/linux was intended by the kernel devs[1] to be where the system 
headers are stored - what glibc uses to build. Like everything else in /usr/ 
this is obviously writeable for root only (usually).

The intent is that you download kernel sources to ~, build there and sudo make 
install.

Gentoo needs a kernel tree (not just headers) for all manner of stuff to build 
against. These days many distros also do it this way to accommodate the needs 
of getting nvidia-drivers and vm products to build their drivers etc. This 
must obviously also be writeable only for root.

So, the ancient "advice" about not building as root is bullshit. It might have 
been good advice once but like all advice it's time is past.

To answer your question:

"You wouldn't. Anything else is just daft."


[1] this itself might be ancient cruft and hopelessly out of date

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] sudo in kernel config ?

[Gregory Shearman]

In linux.gentoo.user, you wrote:
>
> Some people, such as myself, use kernel sources outside of portage (I
> follow a git repo) and do so as a non-root user.  In this case the
> kernel tree is not owned by root and the config/compile is easily done
> as a non-root user.
>
> If you are super-paranoid.  You can make a non-root copy
> of /usr/src/linux and compile it as a non-root user.
>
> But there really isn't any point in using sudo.  It's effectively doing
> the same thing that you are trying to avoid.

I agree there's no point in using sudo, but what's the problem? You
don't need to edit the kernel sources merely to build a new kernel. You
can build your kernel outside the tree using for example:
make O=/home/user/kernel/tree/ menuconfig
make O=/home/user/kernel/tree/

All files are put into the user's directory.

All that's need is the KBUILD_OUTPUT environment variable set, so that
drivers can find the kernel .config file etc.

I've built my kernels like this for years now. All kernels are built by
a specific user and then installed as root. No problem, no worries about
permissions and no altering the portage installed kernel sources so that
a purge (emerge -P gentoo-sources) will automatically remove the whole
tree.

-- 
Regards,

Gregory.

Re: [gentoo-user] Re: sudo in kernel config ?

[Stéphane Guedon]

[-- Attachment #1.1: Type: Text/Plain, Size: 1601 bytes --]

Le Saturday 11 September 2010 22:51:47, Alan McKinnon a écrit :
> Apparently, though unproven, at 22:34 on Saturday 11 September 2010, Nikos
> 
> Chantziaras did opine thusly:
> > On 09/11/2010 11:18 PM, Alan McKinnon wrote:
> > > Apparently, though unproven, at 11:46 on Saturday 11 September 2010,
> > > Albert
> > > 
> > > Hopkins did opine thusly:
> > >> On Sat, 2010-09-11 at 10:24 +0200, Stéphane Guedon wrote:
> > >>> few months ago, I read linux kernel in a nutschell(sic), and the
> > >>> author wrote we shouldn't do kernel operations (config and build) as
> > >>> root.
> > >> 
> > >> I call bullsh*t.  I've been compiling kernels for 17 years and for the
> > >> most part have done it as root without any problems.
> > > 
> > > Same here.
> > > 
> > > The root user (sometimes portage) creates /usr/src/linux-*
> > > 
> > > Someone tell me again exactly how user alan is supposed to build those
> > > sources?
> > 
> > chown -R
> 
> I utterly fail to see the point of this prohibition against building as
> root.
> 
> Sure, it makes sense when I'm installing perl stuff for my users and last
> command is sudo make install. But for everything else?

Linux kernel in a nutschell, chapter 1 - Introduction.

You can read the pdf I send.

I am not paranoid anymore, saying it again. Just curious, wanting to know, 
this sorte of things...

-- 
Stéphane Guedon
page web : http://www.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
clé publique gpg : http://www.22decembre.eu/downloads/Stephane-Guedon.asc

[-- Attachment #1.2: ch01.pdf --]
[-- Type: application/pdf, Size: 157024 bytes --]

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: [OT] sudo in kernel config ?

[Peter Humphrey]

On Sunday 12 September 2010 00:15:34 Etaoin Shrdlu wrote:

> But since you're not convinced, now it would be nice, for my own
> education, and perhaps someone else's, that you elaborated a bit
> more. What exactly do you find non convincing in that usage of the
> adjective? How would you express the concept better?

I did say I wasn't getting at you in particular, but what I dislike is 
being bombarded by the broadcast media with "potential this" and 
"possible that", when only a few years ago no-one would have dreamed of 
putting the extra word in. We even heard of someone being charged with 
an alleged crime recently, which is plain nonsense.

A risk is a risk, no matter how indirect it starts out.

But this is all way off-topic, so I propose to pipe down. No-one's likely 
to be convinced anyway.

-- 
Rgds
Peter.          Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] Re: [OT] sudo in kernel config ?

[Etaoin Shrdlu]

On Sun, 12 Sep 2010 10:16:31 +0100 Peter Humphrey
<peter@humphrey.ukfsn.org> wrote:

> On Sunday 12 September 2010 00:15:34 Etaoin Shrdlu wrote:
> 
> > But since you're not convinced, now it would be nice, for my own
> > education, and perhaps someone else's, that you elaborated a bit
> > more. What exactly do you find non convincing in that usage of the
> > adjective? How would you express the concept better?
> 
> I did say I wasn't getting at you in particular, but what I dislike is 
> being bombarded by the broadcast media with "potential this" and 
> "possible that", when only a few years ago no-one would have dreamed of 
> putting the extra word in. We even heard of someone being charged with 
> an alleged crime recently, which is plain nonsense.

I see. I haven't had a TV set for about 12 years now, so I'm probably
somewhat less exposed to that, although I think I see where you're coming
from.
 
> A risk is a risk, no matter how indirect it starts out.

Of course, but it may affect different people to different degrees, or may
not even affect some of them. That's what I meant.

A rose is a rose is a rose, but it can be pink, red, white...it still
remains a rose. But sometimes the attribute can make a difference.

Re: [gentoo-user] sudo in kernel config ?

[Bill Longman]

[-- Attachment #1: Type: text/plain, Size: 526 bytes --]

> I agree there's no point in using sudo, but what's the problem? You
> don't need to edit the kernel sources merely to build a new kernel. You
> can build your kernel outside the tree using for example:
> make O=/home/user/kernel/tree/ menuconfig
> make O=/home/user/kernel/tree/
>
>
This is how I do it, too, when testing the kernel before I do it for real.
This way, the code stays owned by root and I can make to my hearts content,
with different kernels going into different directories that I control.

-- 
Bill Longman

[-- Attachment #2: Type: text/html, Size: 766 bytes --]

Re: [gentoo-user] sudo in kernel config ?

[Al]

>> This was actually a potential risk once upon a time:
>
> Sorry to drift from the topic, but would somebody please explain to me
> what a potential risk is? How does it differ from a risk?

A risk is always potential. A potential risk is when you are not sure
if it is a risk at all.

Al

[gentoo-user] Re: sudo in kernel config ?

[walt]

On 09/11/2010 01:18 PM, Alan McKinnon wrote:

> The root user (sometimes portage) creates /usr/src/linux-*
>
> Someone tell me again exactly how user alan is supposed to build those
> sources?

 From the kernel README:

    To configure and build the kernel use:
    cd /usr/src/linux-2.6.N
    make O=/home/name/build/kernel menuconfig
    make O=/home/name/build/kernel