Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] When to upgrade kernel to secure home PC?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
katabami
n00b
n00b


Joined: 11 Jul 2009
Posts: 40

PostPosted: Sat Sep 03, 2011 4:48 am    Post subject: [Solved] When to upgrade kernel to secure home PC? Reply with quote

Hi. When should I upgrade the kernel to be secure? My PC is for desktop use and I connect to the internet with DSL. Put differntly, how do you know kernel security information relevant to you?

I watch the Debian security notification page (in addition to glsa; I know glsa excludes kernel.), but that doesn't help much for gentoo or vanilla kernel. It's an old question, and I've been Linux user for more than a decade, but I'm not sure yet. ;)

My rule was to compile the latest stable gentoo source, but some time ago I tried git kernel to bisect, and the former habit is gone.

Thanks beforehand.


Last edited by katabami on Thu Sep 15, 2011 6:05 am; edited 1 time in total
Back to top
View user's profile Send private message
mp342
Apprentice
Apprentice


Joined: 03 Aug 2010
Posts: 165
Location: France

PostPosted: Sat Sep 03, 2011 9:51 am    Post subject: Reply with quote

I you use the latest stable gentoo source, there is a new ebuild pushed when there is a security issue.
Back to top
View user's profile Send private message
katabami
n00b
n00b


Joined: 11 Jul 2009
Posts: 40

PostPosted: Tue Sep 06, 2011 8:08 am    Post subject: Reply with quote

Thanks, mp342. One "problem" there is this: suppose 2.6.40-r4 is the latest stable, and 2.6.40-r10 is the latest in the 2.6.40 series. Now comes a security fix. Then the patch is applied upon r10, right? Usually r11 won't be stable so soon, I don't know what makes it testing r10/r11, and hesitant to use it. (It seems this issue has been discussed, but I'm a secular who don't know it at all.)

But that's not much a problem; I even don't know if there're any security issues which affects me, r4, r11, or whichever. I'd like to omit unnecessary kernel compilation, but is it not recommendable in Gentoo? (I know Server users can stick to 2.6.32.)

An introduction to Gentoo newcomers in this point would be good, which'd be also good for a 7-year user like me. ;)
Back to top
View user's profile Send private message
mp342
Apprentice
Apprentice


Joined: 03 Aug 2010
Posts: 165
Location: France

PostPosted: Tue Sep 06, 2011 8:25 am    Post subject: Reply with quote

Here is what I have understood about security fix :
When a security bug for a stable ebuild is discovered, a new release of the ebuild is published (I don't know what is the base for this ebuild, last stable release or last release of the series)
This new release is stabilized within few days, I think delay depends of the severity of the security bug.

Have a look to the changelog of the ebuild you use for your kernel and search for 'security', you'll better understand.

Regards.
Back to top
View user's profile Send private message
katabami
n00b
n00b


Joined: 11 Jul 2009
Posts: 40

PostPosted: Mon Sep 12, 2011 11:15 pm    Post subject: Reply with quote

I didn't know that. Thanks.

But there's one thing I don't understand: Debian has released kernel security fix 4 times this year so far[1], but gentoo-sources ChangeLog doesn't have the word "security" that often. I don't know Debian and I do think this comparison is naive, but can anyone resolve my question?

[1] http://www.debian.org/security/2011/

Regards.
Back to top
View user's profile Send private message
mp342
Apprentice
Apprentice


Joined: 03 Aug 2010
Posts: 165
Location: France

PostPosted: Tue Sep 13, 2011 6:21 am    Post subject: Reply with quote

If debian policy haven't changed since I used it, debian use a specific version of the kernel for each stable release. When a security issue is found, they backport the fix to stable version.

With gentoo, the stable kernel version move continuously, it could explain why there are fewer security fix.

I'm not an expert in gentoo security, if someone have a better explanation.
Back to top
View user's profile Send private message
krinn
Advocate
Advocate


Joined: 02 May 2003
Posts: 4399

PostPosted: Tue Sep 13, 2011 9:38 am    Post subject: Reply with quote

security fix push version to stable.

so if you run a stable kernel X-r1 and the unstable is X-r10 the security fix will stabilize the X-r11 (for critical issue and it will be the -r10 one + the version bump for the fix) and then stable & unstable could be the same for a moment.

and you have less security fix vs debian because they stick to a kernel version and so need to publish far more security fix to backport them as generally a security issue found in a kernel version also affect previous versions

And it's really a non-issue for a desktop system, because from an attacker point of view, it's a weak machine as it could be kept offline a long time, reboot when the user feel the need.
Most kernel big flaw are privilege excalation (the goal is to be root to get your computer under control), this imply an access to it, and desktop computer have limited access by nature, they also have weak ressources (slower or limited by volume bandwith on enterprise) or just slower because poor users never really get high bandwith from isp.
Additionally using high cpu or bandwith ressource from that kind of computer will be easy detected by the user -> "Why the hell i have that high ping in quakewars !"

As you see, no need to worry that much.
Back to top
View user's profile Send private message
katabami
n00b
n00b


Joined: 11 Jul 2009
Posts: 40

PostPosted: Thu Sep 15, 2011 6:05 am    Post subject: Reply with quote

Thanks, mp342 and krinn. I've created a gentoo-wiki page to record it:
http://en.gentoo-wiki.com/wiki/Keeping_your_kernel_secure

Anyone please improve it.

Regards.
Back to top
View user's profile Send private message
cach0rr0
Moderator
Moderator


Joined: 13 Nov 2008
Posts: 4122
Location: Houston, Republic of Texas

PostPosted: Tue Sep 20, 2011 5:25 am    Post subject: Reply with quote

i generally keep an eye on what the grsecurity/PaX people do
they're often the first people to find a security flaw with the latest kernel

so whenever they publish a fix, i keep an eye out, cross reference, update my kernel whenever the "official" devs have ported their own inferior fix into mainline.

it's imperfect, but at least following grsecurity/PaX, you know of new bugs that exist fairly quickly. Cross-referencing their fixes to determine when a fix has reached mainline is a very unscientific process.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum