----- Original Message ----- From: Greg KH <greg@kroah.com> Date: Wed, 24 Dec 2003 08:42:13 -0800 To: Mandeep Singh Sandhu <mandeep_sandhu@infosys.com> Subject: Re: SOS: unable to locate struct uart_driver!! Re: Why are you looking under /usr/src? Did you put your kernel source Re: there? I'd really recommend _not_ doing that, and working on the kernel Re: source tree in your own directory. Greg, I guesse you are asking this out of paranoia? I'd like to know how much effort is needed to achieve a reasonable degree of security. My development evironment has changed some what recently. I've gone from a single machine that I might some times run a development kernel on, to three, with kgbd->gbd serial interface for two of them. I keep all source, and usually place new RPM, in the /usr/src partition. I some times wonder why I do this, since /usr/src/ had to be world writable when it belonged to root. The RPM are moved to a local network accessable ftp archive after I'm done with them on my main machine. I then export /usr/src nfs ro, so I can cp the results of a build to the other side of the kgdb->gdb serial link. I know I would save some time cp'ing if I build on the gdb machine, and just cp bzImage and the modules to the test machine, but I wonder if /usr/src would need to be exported rw for that? Does 'make modules_install' need to write any thing in the kernel tree if every thing is already up to date? I've also nfs exported /var/cache/apt rw to have a single repository for my local network of three RH9 machines. This is all behind a firewall that I 'think' is relatively secure. At this time I would not put source in my user directory because /home partition ( 1.4G of 2G used ) is not large enough to accomodate all the cruft I've got cluttering up /usr/src at this time. ( 7.4G of 8.2G used ) For the kernel tree, when I unpack it, I usally start as root, and chown to a normal user. It appears that the files in the tar ball are attrib 644 to start, so this should be a reasonable degree of security. I should probably be extracting things as a normal user, but to install RPM's I have to be root, and I've gotten into the habit of extracting things as root too. Repartitioning is always an exciting undertaking, so if you can present compelling reasons against my current practice of keeping the kernel source in /usr/src, I'll certainly listen. If a root exploit happens, it does not matter where I put any thing. If a user is hacked, I've at least restricted the source code to a single regular user. I can't remember when, but at some point in the past I did a chown -R /usr/src to a regular user. So /usr/src and it's content belongs to a user, not root. Since then only one file in /usr/src has been created that does not belong to that user, and it is not root's either. I've just realized that /usr/src does not need to be 777, any more, since only one user ever creates file s there. I'll change it to 755, like every thing else in /usr, and feel alot better about it! Thanks for your time, and Merry Christmas, Perry -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
