Re: Does vdso_install attempt to re-compile objects under root privilege?

From: Masahiro Yamada
Date: Tue Apr 23 2019 - 23:42:14 EST

Next message: Oliver: "Re: [PATCH V4 05/16] PCI: dwc: Move config space capability search API"
Previous message: Yan Zhao: "Re: [Qemu-devel] [PATCH 1/2] vfio/mdev: add version field as mandatory attribute for mdev device"
In reply to: Andy Lutomirski: "Re: Does vdso_install attempt to re-compile objects under root privilege?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 24, 2019 at 8:40 AM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Tue, Apr 23, 2019 at 11:47 AM Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> >
> > Hmm. I suppose an alternative would be for vdso_install to fail if
> > the vdso isn't built?
>
> I absolutely abhor even the concept of building the kernel as root,
> and I think it should be actively disallowed. Our build system is
> good, but it's good as in "clever and complex" rather than necessarily
> good as in "very secure".
>
> So anybody who builds the kernel as root is doing something seriously
> wrong, in my opinion.
>
> That's partly exactly _because_ we have a lot of magical and very
> powerful build rules, and complicated implicit things going on.
>
> For example, our dependencies aren't even about just the files in the
> kernel repository itself, we have clever things like "if the compiler
> has been updated and features or version changes, we'll automatically
> rebuild, because it's part of our clever build system checks".
>
> But that is also part of the reason why I absolutely do *not* want any
> root-building to happen, because our build setup is simply way too
> clever.
>
> If root builds stuff, you'll end up with root-owned generated
> subdirectories or various config files etc, and even if you don't have
> security issues, it can complicate the build later as a regular user.
>
> I've had the build occasionally fail in odd ways, because some
> root-owned file was now no longer removable (usually it's the
> auto-generated header files in the directory, and the root-generated
> and owned directory is now not writable by the developer any more).
> And every time it happens, I shudder.
>
> So all of that simply boils down to "root should not be running those
> complex rules for our config and dependency magic".
>
> At the same time, "make install" obviously needs to be done as root.
>
> All of which is why I opine that "make install" should never build
> anything at all, it should purely be used as a "install previously
> built files".
>
> So yes, I'd much prefer just failing over trying to build as root (or
> even trying to figure out dependencies as root).
>
> > What's the ideal outcome here?
>
> I'd basically like the rule for "make install" to be that it never
> ever generates a single file in the build tree, so that there are
> never any root-owned (or root-overwritten) files there.
>
> So "make install" should even avoid all dependency checking, for the
> simple reason that if you happen to do a system update between "make"
> and "make install", our smart dependencies should never say "oh, the
> compiler version has changed, so now I'll rebuild everything as root
> just because 'make install'".
>
> So I think the ideal outcome is just "fail if you can't find the files
> to install".
>
> Linus

I assume this is ACK to change vdso Makefiles.
I will send patches.

Thanks.

--
Best Regards
Masahiro Yamada

Next message: Oliver: "Re: [PATCH V4 05/16] PCI: dwc: Move config space capability search API"
Previous message: Yan Zhao: "Re: [Qemu-devel] [PATCH 1/2] vfio/mdev: add version field as mandatory attribute for mdev device"
In reply to: Andy Lutomirski: "Re: Does vdso_install attempt to re-compile objects under root privilege?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]