building 2.6.35
in [Debian]
|
From: Arthur Machlas on 12 Aug 2010 12:20 On Thu, Aug 12, 2010 at 8:41 AM, Stephen Powell <zlinuxman(a)wowway.com> wrote: > On Wed, 11 Aug 2010 17:33:12 -0400 (EDT), Bob Proulx wrote: >> Then log out. Â At login you will be set to those additional groups. >> With those in place you can work as yourself in those areas. Â Safer >> than using root since as yourself you can't smash anything in the >> system directories /etc or /bin or /var or other system locations. >> This makes installing local software through 'make install' much safer >> and more contained when not done as root. Â If one were to crawl out of >> /usr/local for example you would see the failure. Â If you were running >> as root then you would not. Isn't there a risk in granting user access to src, adm, and such if ever your user account is compromised? My uninformed opinion is that it's a question of relative risk; the 'risk' involved in building kernels as root, versus the risk involved in giving access to these dirs and tools should your account become compromised. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/AANLkTikqRfH+fg3zvS3qYNPmFieSKPzEs0j-Sw_T?b(a)mail.gmail.com
From: Stephen Powell on 12 Aug 2010 12:40 On Thu, 12 Aug 2010 12:10:16 -0400 (EDT), Arthur Machlas wrote: > On Wed, 11 Aug 2010 17:33:12 -0400 (EDT), Bob Proulx wrote: >> Then log out. Â At login you will be set to those additional groups. >> With those in place you can work as yourself in those areas. Â Safer >> than using root since as yourself you can't smash anything in the >> system directories /etc or /bin or /var or other system locations. >> This makes installing local software through 'make install' much safer >> and more contained when not done as root. Â If one were to crawl out of >> /usr/local for example you would see the failure. Â If you were running >> as root then you would not. > > Isn't there a risk in granting user access to src, adm, and such if > ever your user account is compromised? My uninformed opinion is that > it's a question of relative risk; the 'risk' involved in building > kernels as root, versus the risk involved in giving access to these > dirs and tools should your account become compromised. Obviously, the more groups an id is a member of, the more harm that id can do in the hands of a malicious (or foolish) user. And that's one reason why I can't make everyone happy no matter what my web page says! I suppose the most secure method would be to create an id just for kernel building which is a member of group src and its login group, and that's it. -- .''`. Stephen Powell : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/1411985608.44786.1281630874966.JavaMail.root(a)md01.wow.synacor.com
From: Bob Proulx on 12 Aug 2010 13:30 Stephen Powell wrote: > I do know about groups, but I don't necessarily know the intended > purpose of all of the pre-defined groups in a Linux system. Where > can I find documentation for that? Unfortunately I have no idea. I don't even know if they are all documented someplace. And distro to distro those will vary since they tend to be local administration conventions. > Still, I should have noticed that the /usr/src directory was owned > by user root and by group src. For some reason, I never made that > connection. That's a great tip, thanks. I will have to play around > with this. If I can get everything to work, then the next revision > of my kernel building web page will be revised accordingly. Don't berate yourself. There is too much information in the universe to know all of it! Only by working together can we manage to get a handle on even a small fraction of it. Bob
From: Sven Joachim on 12 Aug 2010 13:30 On 2010-08-12 18:10 +0200, Arthur Machlas wrote: > Isn't there a risk in granting user access to src, adm, and such if > ever your user account is compromised? This depends on how the computer is used, I suppose. On personal desktops/laptops, giving intruders access to these groups is the least of your worries, because your private data are 1000 times more sensitive. > My uninformed opinion is that > it's a question of relative risk; the 'risk' involved in building > kernels as root, versus the risk involved in giving access to these > dirs and tools should your account become compromised. The kernel releases are cryptographically signed�, and it is certainly a good idea to verify them before building and installing a kernel. Sven � http://www.kernel.org/signature.html -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/87y6cb4uhy.fsf(a)turtle.gmx.de
From: Sven Joachim on 12 Aug 2010 14:00
On 2010-08-12 19:25 +0200, Bob Proulx wrote: > Stephen Powell wrote: >> I do know about groups, but I don't necessarily know the intended >> purpose of all of the pre-defined groups in a Linux system. Where >> can I find documentation for that? > > Unfortunately I have no idea. I don't even know if they are all > documented someplace. And distro to distro those will vary since they > tend to be local administration conventions. For Debian, there is some information in the /usr/share/doc/base-passwd/ directory. >> Still, I should have noticed that the /usr/src directory was owned >> by user root and by group src. For some reason, I never made that >> connection. That's a great tip, thanks. I will have to play around >> with this. If I can get everything to work, then the next revision >> of my kernel building web page will be revised accordingly. > > Don't berate yourself. There is too much information in the universe > to know all of it! Only by working together can we manage to get a > handle on even a small fraction of it. Yes, even the base-passwd maintainers who keep the users and groups with ID < 100 in sync across Debian installations have sometimes no clue what a specific group is or was good for. Here is what they say about the 'bin' and 'sys' groups: ,---- | bin | | HELP: No files on my system are owned by user or group bin. What good are | they? Historically they were probably the owners of binaries in /bin? It is | not mentioned in the FHS, Debian Policy, or the changelogs of base-passwd | or base-files. | [...] | | sys | | HELP: As with bin, except I don't even know what it was good for | historically. `---- Sven -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/87ocd74swz.fsf(a)turtle.gmx.de |