Re: [gentoo-dev] Kernel compiles and you
Hi! On Thu, 05 Jul 2012, Dan Douglas wrote: On Wednesday, July 04, 2012 10:30:20 PM Peter Stuge wrote: You may recall there was a kernel build system bug which ran -rf / which would be bad if you built as root. So there isn't anything during the build that requires writing outside the source tree? Since I use a custom script for automating the build, there would be no problem with having it run everything in the sandbox itself up to installing the modules? Correct. The only targets that write outside the tree are: install modules_install firmware_install headers_install Plus, possibly, arch-specific targets. I only know about x86/amd64 and alpha. Regards, Tobias
Re: [gentoo-dev] Kernel compiles and you
Hi! On Wed, 04 Jul 2012, Greg KH wrote: Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. Most distros don't have to do anything, they are not requiring users to build their own kernels :) As I noted in the blog post. There are still people who prefer to roll their own, but still want to use a binary distro. Those people usually do the wget+tar xf approach, completely ignoring the package manager. And that's just dandy. As I also noted in the blog post, the more radical approach for binary distros is to not supply kernel sources as a package at all. Either you use their binary kernel or you're completely on your own. It's probably what I'd do were I to run such a project. Problem with that approach for us (as in Gentoo) is of course, that we need suitable sources (and config) in an easily findable place since assorted stuff depends on it at build time. So in reality, they all do help their users with this, it's trivial to build a kernel as a user on those distros. Actually, it is also on Gentoo, there's no need to ever put a kernel anywhere except in your home directory when building it. Mhm? So how do udev, glibc et al then find out if you have the right options set? What about the assorted ebuilds of out-of-kernel software that needs to access the sources? I'm well aware that for some, this is not a strict necessity (they could just hope you did set them up right or look at /proc/config.gz), but dropping the kernel source ebuilds would be rather radical -- I don't see that happening any time soon. Oh, and one more reason you never want to build your kernel as root, a few years ago, the kernel build process had a bug where it accidentally tried to do a 'rm -rf /*' on your filesystem. None of the kernel developers ever noticed that as they didn't build a kernel as root, and the bug stuck around for a relativly long time (weeks at least.) There was also some semi-serious talk about leaving it in the build as well, just to catch people who were doing this, but sanity prevailed and it was fixed. But, you never know if that old bug might slip back in one day :) I vaguely remembered the rm-rf bug, but I was unable to find any reference to it (at least not easily), do you happen to have a pointer? Regards, Tobias -- Sent from aboard the Culture ship Advanced Case Of Chronic Patheticism
Re: [gentoo-dev] Kernel compiles and you
Am 05.07.2012 01:58, schrieb Rich Freeman: About the only really safe approach would be to run as a limited user, install it into some offset/chroot, package it, and then install it using portage as a binpkg. That actually has advantages on many levels, and it basically is what we do with everything else. I think that's a good idea to have a script which packs the needed files (kernel) and modules into a binpkg: - define KBUILD_OUTPUT - after emerging the sources (or downloading), configure and build your kernel - launch a script which 'installs' the modules and also the kernel in a sandbox like portage normally does and generates a binpkg with a given version number (or auto generated based on kernel version) - install the binpkg (or advise the script to do so) this has the advantage, we can build the kernel as user and also have all installed files recorded by the package manager (which is unfortunately not the case with the current approach) which makes removing them much easier (only remove -source- and/or -bin- pkg) /martin
Re: [gentoo-dev] Kernel compiles and you
The Linux kernel should not and really must not be built as root. This is neither supported nor recommended nor tested by upstream. You may recall there was a kernel build system bug which ran -rf / which would be bad if you built as root. The administrator usually has a normal user account somewhere. Use that to build. Maybe it's just the sysadmin in me, and being used to logging into hundreds of boxes where the only non-root accounts are dedicated to specifics apps which have specific reasons to limit their security access (nginx/etc), but the concept that simply compiling a kernel as root being a dangerous operation -- seems twisted. From a system reliability point of view, compiling a kernel should be something I can do on all boxes when if needed and the only account that I can ensure exists on all boxes is root. Still, I guess it makes sense from the perspective of the kernel developers and we're stuck with that, although -- the gloating over 'rm -rf' seems overdone. In any case, if we must go down this road..than the proper solution is to treat the kernel like any other security sensitive app. Create a new designated user for compiling kernels - call it 'kernel' and over time we'll grow used to it being on all boxes. We can adjust our automated kernel building scripts to su to the kernel user before issuing make commands/etc and the makefile can terminate abnormally if it detects it is being run from any other user than 'kernel'.
Re: [gentoo-dev] Kernel compiles and you
Il 05/07/2012 10:27, Tobias Klausmann ha scritto: I vaguely remembered the rm-rf bug, but I was unable to find any reference to it (at least not easily), do you happen to have a pointer? Regards, Tobias neither I, but look at this bug for an example http://lkml.indiana.edu/hypermail/linux/kernel/0601.2/0877.html start search: linus build as root kernel 2.6.16 rm -f
Re: [gentoo-dev] Kernel compiles and you
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/05/2012 06:23 AM, Matthew Marlowe wrote: The Linux kernel should not and really must not be built as root. This is neither supported nor recommended nor tested by upstream. You may recall there was a kernel build system bug which ran -rf / which would be bad if you built as root. The administrator usually has a normal user account somewhere. Use that to build. Maybe it's just the sysadmin in me, and being used to logging into hundreds of boxes where the only non-root accounts are dedicated to specifics apps which have specific reasons to limit their security access (nginx/etc), but the concept that simply compiling a kernel as root being a dangerous operation -- seems twisted. From a system reliability point of view, compiling a kernel should be something I can do on all boxes when if needed and the only account that I can ensure exists on all boxes is root. Still, I guess it makes sense from the perspective of the kernel developers and we're stuck with that, although -- the gloating over 'rm -rf' seems overdone. In any case, if we must go down this road..than the proper solution is to treat the kernel like any other security sensitive app. Create a new designated user for compiling kernels - call it 'kernel' and over time we'll grow used to it being on all boxes. We can adjust our automated kernel building scripts to su to the kernel user before issuing make commands/etc and the makefile can terminate abnormally if it detects it is being run from any other user than 'kernel'. portage already has a portage user which is used to build (or pretty much do) everything else if you set FEATURES=userpriv usersync usersandbox so do we really need a kernel user to build the kernel? How about a kde user to build kde? I for one do not need a new user on my system every time I want to build something new. For all I care, build as nobody, but adding a kernel user is ridiculous. - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9Z6OAAoJEKXdFCfdEflKhMsQAIBaqxWhRzkRmdYGajqItyKV DHAIE6LyY9lQ08rHV8eWXi/lKjUamM22wRrvOiHg/z0Cwu1shHgQtsuxJZZ3bJ6W hkvNLMOEkUaGlWFwhwYfUKWXDgS01eJc7OAF63Vxfgq+F8kpdM5SajeAVh+6XRp6 ea2NB1ywmqChqXc5M/ZkA28Y2IzT8hyrdiqFG5n0d63W8vt39kTgBpNkrJvoBEbh s7Fpmli+RTlR8bGjYVyAuimUQfL3R+GulbI+5JEseVCzCs8VeoY/Ab0s0XctA+hx LRa1SzUG2rP8UjMoVZYFnxvVp0YX76t3b50qL+USyq0VDdEeoi4XzxMzVcKnkkb7 lBtlkp4IwsxC9NfDb2aYM5iStGo1nTSJ/nK6XIbl8ePYCh2iuq9mFFrZAURUUqpS hdd21VchpyC2exuvg1tImmddetiPE0aiwQUqAOVQEwIZ/ViWDdRCjkk7sN3y039A it/Ddr5DGe7P/TzPq2Q5mNlaonVbGrqz5dqObfky0oYzqHoRb06+PGq1fjNXWx/s WtqnaJHH86kol/AIsMpN/0FRQ2bGzDibG3VLezjklpmxczPqq9CQWuYzRqRw5q57 9/8LO7aPsEAIW/7+Y+pe2asTI1ZfUJIUsmDvQqZKA2oeJ3kqa4dtLyqv2bgfAi8R DAV8uC+2xbRFlas47b7F =NhiX -END PGP SIGNATURE-
Re: [gentoo-dev] Kernel compiles and you
On Wed, 2012-07-04 at 22:22 -0400, Mike Frysinger wrote: On Wednesday 04 July 2012 21:36:02 Albert W. Hopkins wrote: Might it be better if you could tell portage to look for kernel builds in another location than /usr/src/linux. Perhaps you can already and I'm not aware. export KBUILD_OUTPUT=... That'll work. Thanks!
Re: [gentoo-dev] Kernel compiles and you
On Wednesday, July 04, 2012 10:30:20 PM Peter Stuge wrote: You may recall there was a kernel build system bug which ran -rf / which would be bad if you built as root. So there isn't anything during the build that requires writing outside the source tree? Since I use a custom script for automating the build, there would be no problem with having it run everything in the sandbox itself up to installing the modules? -- Dan Douglas
[gentoo-dev] Kernel compiles and you
Hi! Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. I've discussed this with a few people on #gentoo-dev and they've provided valuable insight (thanks AxS, Chainsaw and WilliamH), so I have gathered the results so far here: http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt Feel free to comment (ideally here). Note that I'm aiming for a solution that is not (overly) Gentoo-specific. Thanks, Tobias (aka Blackb|rd on Freenode) -- Sent from aboard the Culture ship GSV Just Read The Instructions
Re: [gentoo-dev] Kernel compiles and you
On Wed, 4 Jul 2012 19:46:47 +0200 Tobias Klausmann klaus...@gentoo.org wrote: Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. I've discussed this with a few people on #gentoo-dev and they've provided valuable insight (thanks AxS, Chainsaw and WilliamH), so I have gathered the results so far here: http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt Feel free to comment (ideally here). Note that I'm aiming for a solution that is not (overly) Gentoo-specific. There's a very simple yet custom solution I'm using. Shortly saying: checkout the kernel git to /usr/src/linux and chown to your user. As far as it goes, it's superior to having kernel sources installed by ebuilds. I just have to remember to do 'git fetch' from time to time and 'git merge' whenever a new version is tagged. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Kernel compiles and you
Hi! On Wed, 04 Jul 2012, Michał Górny wrote: There's a very simple yet custom solution I'm using. Shortly saying: checkout the kernel git to /usr/src/linux and chown to your user. As far as it goes, it's superior to having kernel sources installed by ebuilds. I just have to remember to do 'git fetch' from time to time and 'git merge' whenever a new version is tagged. It is also beyond the package manager's control. That means users who want to just configure their kernel (and run point releases otherwise) have to actively check for new tags/versions. Aside from that the git tree is not exactly lightweight: my current 2.6 checkout weighs in at 1.4G whereas the unpacked tar is 512M. I'll amend the blog post, though. Regards, Tobias -- Sent from aboard the Culture ship GSV Just Read The Instructions
Re: [gentoo-dev] Kernel compiles and you
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/04/2012 01:58 PM, Michał Górny wrote: On Wed, 4 Jul 2012 19:46:47 +0200 Tobias Klausmann klaus...@gentoo.org wrote: Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. I've discussed this with a few people on #gentoo-dev and they've provided valuable insight (thanks AxS, Chainsaw and WilliamH), so I have gathered the results so far here: http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt Feel free to comment (ideally here). Note that I'm aiming for a solution that is not (overly) Gentoo-specific. There's a very simple yet custom solution I'm using. Shortly saying: checkout the kernel git to /usr/src/linux and chown to your user. As far as it goes, it's superior to having kernel sources installed by ebuilds. I just have to remember to do 'git fetch' from time to time and 'git merge' whenever a new version is tagged. Honestly I'm not certain if there is an easy way to do this Obvious easy way, make the ebuilds install the kernel sources and chown root.users then chmod g+w. Of course, after this any user could trojan the kernel... We could allow writes in the directories but not to the kernel source files themselves... that seems moderately sane even as the source files don't need to be written to be compiled, only the dir's need write permissions... Thoughts? - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9IlzAAoJEKXdFCfdEflK2r0P/1vM8la8nR6ZmZ4jkvMwSTnL pEdbHKtYB3BbwBySpGPDWslxZ+CGAAlpsTTXDKhSnIB73IKZL1zzWylD7VVrIt/s ezpB2LDnZx2uae46CBMYh7fIzt3d4/so4Yprfpx45H89lcoTkfKai3xVkb2T/cQC uP8XmeM0CO5wcwOEJD1FADmkThkOa1tunphr+jWZ3S09hJ9UZ/Zbk+zZr7+XTHG8 xJui8G6cdOsLOXdcQALIJzGDvUID++hJ4LVMr+JIGwfvrjQkwrGikB8WMH61Ftcs Qvc1cidsTQEw4UZeGtYBy8BELpJaH00PTtoupCcOxq7luIz6F4QYQm8X2nIBliHX rpnwll08tbAZl5Dt1XsndHWiEevn8VWUIQrJSeeV/McayCjTUJAV9gcbksKASS6V XXaJfUpeinUbOzjTIXscBOyd5HM60lU0IdprvczXop/q8nOUovQt04u69J3v6Fkc W9Z8mugrRLTGr5XP6pMpfeLGzrmMYNRzPVx6eZb3a2+b/vi1gS0KlDeMbaed7CPI BIBZbrn7rUWjnOv8bifcJZ6FIRhTpqG4azcLrb9RXyR7OxO+1rA82uc1+GLMhBHI YYFVWUijIIE8lgcremmEYSqHpyGUWUNYBz7M+7MHA9I1hG7VMvbuPpnlXPZxuvqI 5nyGGNnZtPtf1Pc+csKC =8V1a -END PGP SIGNATURE-
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 04, 2012 at 02:20:36PM -0400, Rick Zero_Chaos Farina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/04/2012 01:58 PM, Michał Górny wrote: On Wed, 4 Jul 2012 19:46:47 +0200 Tobias Klausmann klaus...@gentoo.org wrote: Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. I've discussed this with a few people on #gentoo-dev and they've provided valuable insight (thanks AxS, Chainsaw and WilliamH), so I have gathered the results so far here: http://blog.i-no.de/archives/2012/07/index.html#e2012-07-04T19_28_32.txt Feel free to comment (ideally here). Note that I'm aiming for a solution that is not (overly) Gentoo-specific. There's a very simple yet custom solution I'm using. Shortly saying: checkout the kernel git to /usr/src/linux and chown to your user. As far as it goes, it's superior to having kernel sources installed by ebuilds. I just have to remember to do 'git fetch' from time to time and 'git merge' whenever a new version is tagged. Honestly I'm not certain if there is an easy way to do this Obvious easy way, make the ebuilds install the kernel sources and chown root.users then chmod g+w. Of course, after this any user could trojan the kernel... There is no need to chown or chmod anything. /usr/src/linux* is always world readable. We could allow writes in the directories but not to the kernel source files themselves... that seems moderately sane even as the source files don't need to be written to be compiled, only the dir's need write permissions... Actually the directories do not need write permissions either. Take a look at the O= option documented in /usr/src/linux/README. William pgpd90SjW3nS8.pgp Description: PGP signature
Re: [gentoo-dev] Kernel compiles and you
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/04/2012 08:56 PM, William Hubbs wrote: On Wed, Jul 04, 2012 at 02:20:36PM -0400, Rick Zero_Chaos Farina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/04/2012 01:58 PM, Michał Górny wrote: We could allow writes in the directories but not to the kernel source files themselves... that seems moderately sane even as the source files don't need to be written to be compiled, only the dir's need write permissions... Actually the directories do not need write permissions either. Take a look at the O= option documented in /usr/src/linux/README. William Um, well, users can then write the the compiled files (.o in the tree). You can also set `chmod -R g+w /` and gave everyone full access. I think running kernels from non-root checkouts is a pretty big security hole. Michael - -- Gentoo Dev http://xmw.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk/0lFQACgkQknrdDGLu8JD3AwD8CWdFJemXSh4O4xS94AXfo1Bw 6XwIhGspPvP/EGI/+7cBAI486fBSopMQxB/IaFyDnwVxriLZxOan5SrqMJXWa8b5 =+ocR -END PGP SIGNATURE-
Re: [gentoo-dev] Kernel compiles and you
Michael Weber wrote: I think running kernels from non-root checkouts is a pretty big security hole. Suggest think again. The Linux kernel should not and really must not be built as root. This is neither supported nor recommended nor tested by upstream. You may recall there was a kernel build system bug which ran -rf / which would be bad if you built as root. The administrator usually has a normal user account somewhere. Use that to build. -sources ebuilds installing 755 root:root to /usr/src/linux is fine, but best avoid building in-tree in that case. //Peter
Re: [gentoo-dev] Kernel compiles and you
On Wed, 4 Jul 2012 20:06:58 +0200 Tobias Klausmann klaus...@gentoo.org wrote: Hi! On Wed, 04 Jul 2012, Michał Górny wrote: There's a very simple yet custom solution I'm using. Shortly saying: checkout the kernel git to /usr/src/linux and chown to your user. As far as it goes, it's superior to having kernel sources installed by ebuilds. I just have to remember to do 'git fetch' from time to time and 'git merge' whenever a new version is tagged. It is also beyond the package manager's control. That means users who want to just configure their kernel (and run point releases otherwise) have to actively check for new tags/versions. True. I think that's the direction I should look into improving. Aside from that the git tree is not exactly lightweight: my current 2.6 checkout weighs in at 1.4G whereas the unpacked tar is 512M. Well, that's the other problem. On the other hand, you usually have to have that 1G free anyway unless you intend to manually unmerge the previous *-sources before installing the new one. And the time needed to do that... git is so much faster. -- Best regards, Michał Górny signature.asc Description: PGP signature
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 04, 2012 at 07:46:47PM +0200, Tobias Klausmann wrote: Hi! Recently, I have again bumped into the question whether one should compile the kernel as root. One of the things that puzzles me is why almost every HowTo, blog post and book recommends building as non-root -- yet basically no distribution /helps/ the user with doing that. Most distros don't have to do anything, they are not requiring users to build their own kernels :) So in reality, they all do help their users with this, it's trivial to build a kernel as a user on those distros. Actually, it is also on Gentoo, there's no need to ever put a kernel anywhere except in your home directory when building it. Oh, and one more reason you never want to build your kernel as root, a few years ago, the kernel build process had a bug where it accidentally tried to do a 'rm -rf /*' on your filesystem. None of the kernel developers ever noticed that as they didn't build a kernel as root, and the bug stuck around for a relativly long time (weeks at least.) There was also some semi-serious talk about leaving it in the build as well, just to catch people who were doing this, but sanity prevailed and it was fixed. But, you never know if that old bug might slip back in one day :) good luck, greg k-h
Re: [gentoo-dev] Kernel compiles and you
On Wed, Jul 4, 2012 at 7:49 PM, Maxim Kammerer m...@dee.su wrote: The KBUILD_OUTPUT / O= option seems like the best solution to me (especially so as I build three kernel images from a single sources tree), and it works well, except that it sometimes doesn't with especially monstrous and hard to configure packages such as virtualbox-guest-additions — see bug #424816. From a compatibility and simplicity standpoint simply making the directory group-writable seems like the simplest solution. However, the group should be something dedicated - not users. While I can see how build system bugs might be bad when running as root, you have to keep in mind that chances are that once you're done with building the kernel you're going to execute it in ring-0. When you run make modules_install that is also going to need to run as root and it could clobber things as well. About the only really safe approach would be to run as a limited user, install it into some offset/chroot, package it, and then install it using portage as a binpkg. That actually has advantages on many levels, and it basically is what we do with everything else. Rich
Re: [gentoo-dev] Kernel compiles and you
On 07/04/2012 07:58 PM, Rich Freeman wrote: On Wed, Jul 4, 2012 at 7:49 PM, Maxim Kammerer m...@dee.su wrote: The KBUILD_OUTPUT / O= option seems like the best solution to me (especially so as I build three kernel images from a single sources tree), and it works well, except that it sometimes doesn't with especially monstrous and hard to configure packages such as virtualbox-guest-additions — see bug #424816. From a compatibility and simplicity standpoint simply making the directory group-writable seems like the simplest solution. However, the group should be something dedicated - not users. A similar problem occurs in sys-freebsd/virtio-kmod. The ebuild works around it by copying all of the files into the build directory like what FreeBSD Ports does. We were able to improve on that by only copying the files that were needed and using hard links whenever possible. It should be possible to do the same here. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Kernel compiles and you
On Thu, 2012-07-05 at 02:49 +0300, Maxim Kammerer wrote: On Wed, Jul 4, 2012 at 9:56 PM, William Hubbs willi...@gentoo.org wrote: Actually the directories do not need write permissions either. Take a look at the O= option documented in /usr/src/linux/README. The KBUILD_OUTPUT / O= option seems like the best solution to me (especially so as I build three kernel images from a single sources tree), and it works well, except that it sometimes doesn't with especially monstrous and hard to configure packages such as virtualbox-guest-additions — see bug #424816. I've experimented with O= in the past. It seems like a good solution, however... There are kernel-dependent packages that (seem to) always look for configuration options, symbols, etc. in /usr/src/linux. When you use O= then those features do not exist in /usr/src/linux and thus those packages will fail. So I have basically abandoned using O=. Might it be better if you could tell portage to look for kernel builds in another location than /usr/src/linux. Perhaps you can already and I'm not aware. If not, then this just be a lot of work and perhaps the benefits do not outweigh the effort involved? Anyway, just something to think about. -a
Re: [gentoo-dev] Kernel compiles and you
On Wednesday 04 July 2012 21:36:02 Albert W. Hopkins wrote: Might it be better if you could tell portage to look for kernel builds in another location than /usr/src/linux. Perhaps you can already and I'm not aware. export KBUILD_OUTPUT=... -mike signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] Kernel compiles and you
On Thu, Jul 5, 2012 at 4:36 AM, Albert W. Hopkins mar...@letterboxes.org wrote: There are kernel-dependent packages that (seem to) always look for configuration options, symbols, etc. in /usr/src/linux. When you use O= then those features do not exist in /usr/src/linux and thus those packages will fail. So I have basically abandoned using O=. Try setting KBUILD_OUTPUT in /etc/make.conf — it will be used by linux-info.eclass (and linux-mod.eclass) automatically, so most kernel module-compiling ebuilds will do the right thing. There are exceptions, such as the VirtualBox packages above, which want access to the build tree outside module compilation for whatever reason, but I already found a fix for that specific problem (--with-linux=${KV_OUT_DIR}), so count me as a fan of O=. You can also apparently set KERNEL_DIR to something other than /usr/src/linux, but with eselect kernel available, this variable is probably best left alone. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte