Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
Kernel prepatch 2.6.37-rc3
Posted Nov 22, 2010 2:43 UTC (Mon) by Lennie (subscriber, #49641)
Posted Nov 22, 2010 3:22 UTC (Mon) by mfedyk (guest, #55303)
Posted Nov 22, 2010 9:29 UTC (Mon) by _otus (guest, #71411)
Posted Nov 22, 2010 4:35 UTC (Mon) by corbet (editor, #1)
Jaunty not even getting security updates.
Posted Nov 22, 2010 6:06 UTC (Mon) by gmatht (guest, #58961)
Posted Nov 22, 2010 7:47 UTC (Mon) by error27 (subscriber, #8346)
Sometimes it's a painful rule, but in this case it's easy. The commit breaks booting which is an important feature and anyway it's easy to get the same effect by doing a "chmod -r /proc/kallsyms" in the bootup scripts.
Posted Nov 22, 2010 12:10 UTC (Mon) by Karellen (subscriber, #67644)
Which means I'm not sure I would agree with this revert, as the opposite effect should also be achievable in userspace with a "chmod +r /proc/kallsyms" early in the bootup scripts. Those that want or need to enable the original behaviour can do so, while completely eliminating the (albeit brief) period of lesser security that the revert introduces for all users.
Surely the kernel should be as secure as possible by default, no?
Posted Nov 22, 2010 12:40 UTC (Mon) by rahulsundaram (subscriber, #21946)
Posted Nov 22, 2010 14:02 UTC (Mon) by tao (subscriber, #17563)
That said, I agree that taking broken userland behaviour in consideration in this case is stupid; Jaunty is unlikely to ship 2.6.37 anyway. Anyone installing a non-distro kernel should know what they're doing, and thus be able to also patch the relevant package that breaks because of this.
Posted Nov 22, 2010 15:22 UTC (Mon) by Karellen (subscriber, #67644)
Bolstered by the old cryptography saw that anyone can invent a cryptosystem which they themselves are not smart enough to crack, I'm not going to claim that just because I can't think of a way to exploit this problem, it cannot be exploited. Attackers can be fiendishly devious. I'd rather err on the side of caution.
Posted Nov 23, 2010 5:58 UTC (Tue) by error27 (subscriber, #8346)
If you're running a distro kernel then changing the permissions on kallsysms is pointless anyway.
Posted Nov 22, 2010 13:55 UTC (Mon) by NAR (subscriber, #1313)
Posted Nov 22, 2010 14:07 UTC (Mon) by adobriyan (guest, #30858)
I want just turn off IPv6 and CONFIG_COMPAT,
now you're telling me I have to debug boot problems.
Posted Nov 22, 2010 14:27 UTC (Mon) by NAR (subscriber, #1313)
P.s.: I'm pretty sure you don't need to recompile your kernel to turn off IPv6.
P.s.2: my point was running a kernel not included in the distribution (which implies a compilation), not the actual compilation step. You can recompile the kernel in Jaunty whatever way you like, it will boot (or at least it won't have problems reading that file).
Posted Nov 22, 2010 18:55 UTC (Mon) by jrn (subscriber, #64214)
Posted Nov 22, 2010 21:44 UTC (Mon) by jrn (subscriber, #64214)
Posted Nov 25, 2010 17:38 UTC (Thu) by dag- (subscriber, #30207)
Well, I don't know how general that rule is, because kernel 2.6.36 ripped out an important set of /proc/acpi entries that are still used on older Gnome releases (eg. CentOS-5).
A separate project, named ELRepo, provides backported kernel modules, but also the current mainline kernel built specifically for CentOS-5. Which is great for testing/running the latest kernel with a stable and trusted distribution. Since 2.6.36, not anymore, as my laptop couldn't provide proper ACPI information, and as such couldn't suspend/hibernate before running out of power :-(
More information about this, and other breakage is available from:
Posted Nov 25, 2010 18:59 UTC (Thu) by corbet (editor, #1)
Posted Nov 25, 2010 19:28 UTC (Thu) by dag- (subscriber, #30207)
These kernels are not intended for production use, but provided as-is and as a means to help users to find newer drivers that can be backported, or detect regressions with drivers known to work. (Although they can be very useful nevertheless...)
I'll discuss this with the other team-members and see if they agree to report these upstream. Thanks for mentioning, Jon !
Posted Nov 26, 2010 4:11 UTC (Fri) by promotion-account (guest, #70778)
I guess we didn't really consider these to be regressions, nor did we expect kernel developers to consider us, humble users of old but stable distributions ;-)
The kernel community usually take such issues very seriously, please report.
If you want maximum effect, CC linus in the process with a subject like '2.6.36' breaks XXXX userspace' ;)
Posted Nov 25, 2010 19:30 UTC (Thu) by dag- (subscriber, #30207)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds