Re: [Users] not compiling as root

From: Matthew Callaway (matt_at_kindjal.net)
Date: Mon Sep 09 2002 - 02:55:18 CEST

• Next message: Alistair Nelson: "[Users] NEWBIE, please help... almost have Freeswan working now..."
• Previous message: Paul Wouters: "Re: [Users] (no subject)"
• In reply to: Paul Wouters: "Re: [Users] not compiling as root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Daniel,

It is my opinion that you should:

1) never build anything as root, ever.
2) never build anything on a production machine, ever.

Build hosts are for building, servers are for serving.

To this end, I have produced .spec files and instructions for building
RPMs of ipsec-enabled kernels, as well as the ipsec.o module.

I have contacted Ken at freeswan.ca and he's agreed to post my .spec
files and isntructions once I get them polished up. I will hand them
over to him, and post to this list, when I've got them generalized.
They are done, and they work for me, but I have very specific uses that
I'm removing from the files so that they work in the general case.

If you're interested, I think I should have them posted within the week.

Matt

On Mon, 9 Sep 2002, Paul Wouters wrote:

> On Sun, 8 Sep 2002, Daniel Lange wrote:
>
> > I've found an IPSec client, and have been working to build the ipsec
> > tools and IPSec-capable kernel. However, as I am deploying this on a
> > production server and intend to keep downtime to a minimum, and with
> > perhaps a healthy dose of paranoia, I don't compile my kernels as root,
> > nor do I intend to compile FreeS/WAN in this fashion.
>
> I've never heard of anyone terminating a server by compiling Freeswan.
> If you compile freeswan as module, you have 0 downtime.
>
> > I am about to go play with the FINAL* entries, but if there's something
> > I'm missing, or if anyone has pointers, advice, flames, cheers, or
> > insightful comments, I'd like to hear about it.
>
> It seems as waste of time to me to compile something that will result in
> something that will always run as root, or reside inside the kernel.
>
> Unless, ofcourse, we're as backdoord as the openssh people were :)
>
> Paul
> --
> <Beeth> Girls are like internet domain names, the ones I like are already
> taken.
> <honx> Well, you can still get one from a strange country :-P
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Alistair Nelson: "[Users] NEWBIE, please help... almost have Freeswan working now..."
• Previous message: Paul Wouters: "Re: [Users] (no subject)"
• In reply to: Paul Wouters: "Re: [Users] not compiling as root"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 09 2002 - 05:20:00 CEST