I was intending to set up a kernel with grsec on a Centos 5.5 Cpanel server as per the instructions in:
http://wiki.fiber-hosting.com/Cpanel-with-grsec-how-to
However, on the following page that http://wiki.centos.org/HowTos/Custom_Kernel is linking to they say one should not compile a kernel as root since that may break stuff on the system to a degree where a reinstall may become necessary:
http://www.owlriver.com/tips/non-root/
I am not sure how I would go about setting up a non root environment that can compile a kernel. At least not on a Cpanel server.
So what do you guys say ? Is it a good idea to compile a grsec protected kernel as per the above instructions or will that mess things up if I do it as root ?
Making the kernel as root - is that dangerous ?
2 posts
• Page 1 of 1
Making the kernel as root - is that dangerous ?
by driverC » Wed Apr 20, 2011 6:24 pm
- driverC
- Posts: 2
- Joined: Wed Apr 20, 2011 6:10 pm
Re: Making the kernel as root - is that dangerous ?
by specs » Thu Apr 21, 2011 2:03 am
There are certain risks with compiling a kernel as root.
Theoretically during the compilation all commands present in the Makefile will be executed...
But then there are a lot more risks compiling a kernel.
A few remarks:
- would you want a compiler on a production system?
- would you like a normal user to read and write kernel configuration?
- would you like a normal user to install the kernel in the right place?
- would you like a normal user to tinker with grub or lilo?
- would you like a normal user to reboot the system?
You could use the INSTALL_PATH to gather all you need to install in one place. Then you still need to copy, run depmod, etc..
Each off these issues introduces a (small) security problem. Some of these issues can be bypassed by compiling kernels on another system.
But it still leaves the problem of "someone" logging in to put a kernel+modules in the right place, changing lilo/grub and rebooting the system.
However, I do believe that the problems Centos is referring to are most probably newbee problems, as problems compiling a kernel used to fill many support question (long long ago).
Theoretically during the compilation all commands present in the Makefile will be executed...
But then there are a lot more risks compiling a kernel.
A few remarks:
- would you want a compiler on a production system?
- would you like a normal user to read and write kernel configuration?
- would you like a normal user to install the kernel in the right place?
- would you like a normal user to tinker with grub or lilo?
- would you like a normal user to reboot the system?
You could use the INSTALL_PATH to gather all you need to install in one place. Then you still need to copy, run depmod, etc..
Each off these issues introduces a (small) security problem. Some of these issues can be bypassed by compiling kernels on another system.
But it still leaves the problem of "someone" logging in to put a kernel+modules in the right place, changing lilo/grub and rebooting the system.
However, I do believe that the problems Centos is referring to are most probably newbee problems, as problems compiling a kernel used to fill many support question (long long ago).
- specs
- Posts: 190
- Joined: Sun Mar 26, 2006 7:00 am
2 posts
• Page 1 of 1