-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/05/2012 06:23 AM, Matthew Marlowe wrote: >> The Linux kernel should not and really must not be built as root. >> This is neither supported nor recommended nor tested by upstream. >> You may recall there was a kernel build system bug which ran -rf / >> which would be bad if you built as root. >> >> The administrator usually has a normal user account somewhere. Use >> that to build. >> > > Maybe it's just the sysadmin in me, and being used to logging into > hundreds of boxes where the only non-root accounts are dedicated to > specifics apps which have specific reasons to limit their security > access (nginx/etc), but the concept that simply compiling a kernel as > root being a dangerous operation -- seems twisted. From a system > reliability point of view, compiling a kernel should be something I > can do on all boxes when if needed and the only account that I can > ensure exists on all boxes is root. > > Still, I guess it makes sense from the perspective of the kernel > developers and we're stuck with that, although -- the gloating over > 'rm -rf' seems overdone. > > In any case, if we must go down this road..than the proper solution is > to treat the kernel like any other security sensitive app. Create a > new designated user for compiling kernels - call it 'kernel' and over > time we'll grow used to it being on all boxes. We can adjust our > automated kernel building scripts to su to the kernel user before > issuing make commands/etc and the makefile can terminate abnormally if > it detects it is being run from any other user than 'kernel'. > > portage already has a portage user which is used to build (or pretty much do) everything else if you set FEATURES="userpriv usersync usersandbox" so do we really need a kernel user to build the kernel? How about a kde user to build kde? I for one do not need a new user on my system every time I want to build something new. For all I care, build as nobody, but adding a kernel user is ridiculous.
- -Zero -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9Z6OAAoJEKXdFCfdEflKhMsQAIBaqxWhRzkRmdYGajqItyKV DHAIE6LyY9lQ08rHV8eWXi/lKjUamM22wRrvOiHg/z0Cwu1shHgQtsuxJZZ3bJ6W hkvNLMOEkUaGlWFwhwYfUKWXDgS01eJc7OAF63Vxfgq+F8kpdM5SajeAVh+6XRp6 ea2NB1ywmqChqXc5M/ZkA28Y2IzT8hyrdiqFG5n0d63W8vt39kTgBpNkrJvoBEbh s7Fpmli+RTlR8bGjYVyAuimUQfL3R+GulbI+5JEseVCzCs8VeoY/Ab0s0XctA+hx LRa1SzUG2rP8UjMoVZYFnxvVp0YX76t3b50qL+USyq0VDdEeoi4XzxMzVcKnkkb7 lBtlkp4IwsxC9NfDb2aYM5iStGo1nTSJ/nK6XIbl8ePYCh2iuq9mFFrZAURUUqpS hdd21VchpyC2exuvg1tImmddetiPE0aiwQUqAOVQEwIZ/ViWDdRCjkk7sN3y039A it/Ddr5DGe7P/TzPq2Q5mNlaonVbGrqz5dqObfky0oYzqHoRb06+PGq1fjNXWx/s WtqnaJHH86kol/AIsMpN/0FRQ2bGzDibG3VLezjklpmxczPqq9CQWuYzRqRw5q57 9/8LO7aPsEAIW/7+Y+pe2asTI1ZfUJIUsmDvQqZKA2oeJ3kqa4dtLyqv2bgfAi8R DAV8uC+2xbRFlas47b7F =NhiX -----END PGP SIGNATURE-----