| View previous topic :: View next topic |
| Author |
Message |
pingp
n00b
Joined: 12 Jul 2007
Posts: 11
|
 Posted: Fri Jul 13, 2007 11:30 pm Post subject: Compile Kernel as non-root user |
 |
|
According to Q&A
Important Warning: The kernel developers advise against uncompressing the kernel source code, configuring or building the kernel as root. It should be done as an ordinary user. Only the one or two commands needed to install the kernel and the modules should be run as root. There have been bugs in the build process in the past which have caused files in /dev to be deleted when run as root and uncompressing the kernel archive as root can lead to some files getting the wrong permissions. gkh-lkn: "None of the primary kernel developers build kernels as root"
This FAQ will consider two possible scenarios for a first or the first series of kernel compilations: using genkernel with the "--menuconfig" argument or running "make menuconfig" from the top of the kernel source tree.
Using just "genkernel all" may give you a kernel which boots but, later on, you may want to remove the modules you don't need and, at that point, this is the FAQ for you.
There are two possible settings for a kernel compilation, during installation while chroot'ed to your root filesystem and within a running Gentoo installation.
There are instructions on chroot'ing in the Handbook and the QuickInstall Guide but it seems worthwhile giving a potted version here to make it less likely that something isn't forgotten in going backwards and forwards.
But in hand book (http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=7), the source is obtained through "emerge gentoo-sources", so that they belong to root user, right? How is the right way to access and compile source? |
|
| Back to top |
|
 |
didymos
Advocate
Joined: 10 Oct 2005
Posts: 4798
Location: California
|
| Posted: Sat Jul 14, 2007 12:02 am Post subject: |
|
|
Yeah, it fetches the source and unpacks it. That's it. It doesn't build a kernel. You can alter the permissions on the source directory.
_________________
Thomas S. Howard |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sat Jul 14, 2007 12:44 am Post subject: |
|
|
| No-one bothers, as far as I can tell. Whilst this is technically a risk, it's a very small risk. |
|
| Back to top |
|
|
didymos
Advocate
Joined: 10 Oct 2005
Posts: 4798
Location: California
|
| Posted: Sat Jul 14, 2007 12:57 am Post subject: |
|
|
| PaulBredbury wrote: | | No-one bothers, as far as I can tell. Whilst this is technically a risk, it's a very small risk. |
Yeah, and then there's that.
_________________
Thomas S. Howard |
|
| Back to top |
|
|
devsk
Advocate
Joined: 24 Oct 2003
Posts: 3003
Location: Bay Area, CA
|
| Posted: Sat Jul 14, 2007 6:16 am Post subject: |
|
|
| PaulBredbury wrote: | | No-one bothers, as far as I can tell. Whilst this is technically a risk, it's a very small risk. |
Actually, I will HIGHLY recommend that you use 'root' as the user who owns and builds the kernel sources. If a normal user owns the source or has write permissions to it, a simple web page can "potentially" change the code to include anything it wants in the kernel and next time you build the kernel and install it, you are toast.
NEVER have anybody other than 'root' have the write perms on the kernel source. And about deleting the /dev and other crap, its an old myth. Nothing like that happens and if it did, it will be fixed. Normal user will get tonnes of errors trying to delete /dev and since our kernel devs are running as normal users, according to their own advice, they will see those Makefile errors and should fix them in no time. |
|
| Back to top |
|
|
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1746
|
| Posted: Sat Jul 14, 2007 12:24 pm Post subject: |
|
|
When I was a Slacker, I used to compile *everything* in my home dir in ~/src.
But I found that almost *anything* that did anything to the kernel (ALSA, lm_sensors, nVidia drivers, wifi crap etc.) would 'work', but in new and unusual meanings of 'work'.
I toyed with chgrp'ing the entire source tree to a group I made (source) with all the x6x and x7x permissions, but that didn't really work either.
After that I just did it as root.
There seemed to be two problems:
1) Things assuming the kernel source is in /usr/src/linux
Despite the fact that 'everyone' (Ah yes, that mystical meta-entity) says that /usr/src/linux is deprecated and shouldn't be used, the symlink is still alive and strong.
2) Things freaking out when they find things aren't root:root during some as-yet unknown part of the make.
But I never found anything that should cause this!
Often the whole process would work and even compile, but then later I'd get some weird obscure issues popping up with certain kernel modules not working properly.
I haven't tried since Slackware 8, and now since Gentoo seems to want to put the entire source in /usr/src as root:root and symlink to linux, I just go with the flow  |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23091
|
| Posted: Sat Jul 14, 2007 3:35 pm Post subject: |
|
|
| devsk wrote: | | PaulBredbury wrote: | | No-one bothers, as far as I can tell. Whilst this is technically a risk, it's a very small risk. |
Actually, I will HIGHLY recommend that you use 'root' as the user who owns and builds the kernel sources. If a normal user owns the source or has write permissions to it, a simple web page can "potentially" change the code to include anything it wants in the kernel and next time you build the kernel and install it, you are toast. |
You do not need to give a non-root user privileges to modify the kernel sources. It is sufficient to set $KBUILD_OUTPUT to an appropriate directory, then cd to the source tree of your choice and work as normal. I have done this for the past several kernels with a dedicated non-root user and it works fine. You can even install the kernel into a staging area, then let root copy it to the live filesystem if you want to avoid running any make stages as root. If you do this, be sure that the copy by root does not preserve ownership. If it did, then the non-root user could write to the kernel image.
Merging out-of-kernel modules may require you to have root copy the .config back into the kernel source directory, depending on the module. I would consider it a bug if the module did not honor $KBUILD_OUTPUT, since the kernel configuration utilities put .config in $KBUILD_OUTPUT, not in the source directory.
Also, if you are running around with a configuration that lets a webpage update any files you own, you have bigger problems. |
|
| Back to top |
|
|
devsk
Advocate
Joined: 24 Oct 2003
Posts: 3003
Location: Bay Area, CA
|
| Posted: Sat Jul 14, 2007 3:54 pm Post subject: |
|
|
| Hu wrote: | | Also, if you are running around with a configuration that lets a webpage update any files you own, you have bigger problems. |
not everybody can find and fix gecko or khtml vulnerabilities? do you? I don't. And I assume they are there.
I believe in simple approaches, and most security options are simple. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Kernel & Hardware
