LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Quote of the week

[Posted June 28, 2006 by cook]

No, the inevitable flame war here is the abusive way of telling people not to extract the kernel sources as root. This argument boils down to a fundamental disjunct: trust people to handle security of their own box their own way, with full knowledge of how their tools work, or assume that they aren't intelligent enough to use tools sanely and securely, and handicap so they don't have to. The latter, much as it is not seen this way, is the abusive philosophy. The former trusts the user.

Yes, there's a learning curve. There is always a learning curve. Never expect there not to be a learning curve.

-- Matthew Frost <artusemrys -at- sbcglobal.net>

(Log in to post comments)

Quote of the week

Posted Jun 29, 2006 14:57 UTC (Thu) by ortalo (subscriber, #4654) [Link]

Hmmm. I don't really understand this quote. Really.

Anyway, IMHO, the whole issue of security is not so much about whether or not we trust users, but whether or not we care about protecting users.

Quote of the week

Posted Jul 6, 2006 19:32 UTC (Thu) by TuftedPuffin (guest, #27584) [Link]

How well do you like to be "protected" by the software on your computer? For an awful lot of people, such "protection" just gets in their way and they disable it if they can. And if not, they'll gripe or migrate or whatever.

Quote of the week

Posted Jun 29, 2006 20:16 UTC (Thu) by avik (subscriber, #704) [Link]

Had the tarballs been generated without world write access, and had
someone complained, I'm sure those same people would have rushed to
explain the world write access is a security hole, and that we should
be "secure by default", and that only M-dollar-sign doesn't care about
basic security.

Quote of the week

Posted Jul 10, 2006 18:17 UTC (Mon) by emk (subscriber, #1128) [Link]

OK, so users shouldn't extract or compile kernels as root. I'm OK with that as a matter of policy (and it's good advice for compiling any software).

On the other hand, lots of distributions and users still follow the old broken workflow, and are exposing themselves to a root compromise. How hard is it, exactly, to set reasonable default permissions on the files in the tarball? I know plenty of sysadmins who don't read every post by Linus to lkml, and who didn't hear about this policy change.

And why on earth is a vital system component being packaged on a box with world-writable files, anyway?

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds