Risks of running custom kernels

Discussion in 'Linux' started by toastnted, Jan 6, 2009.

  1. toastnted

    toastnted

    Joined:
    Dec 30, 2008
    Messages:
    18
    Likes Received:
    0
    Without wishing to detract anything from the individuals who put in a lot of time and effort into producing custom kernels for us lazy masses, just what exactly are the (theoretical) risks of running a custom kernel?

    I say 'theoretical' because I'm not implying that anyone has malicious intent, but essentially this boils down to downloading code off the internet from an unknown source.

    So really this is just an academic question for those of you who know far more than I about such things :)

    (Again, many thanks to all of those who do produce custom kernels etc)
     
    toastnted, Jan 6, 2009
    #1
  2. toastnted

    Casao

    Joined:
    Aug 9, 2008
    Messages:
    28
    Likes Received:
    0
    No worse than the risks of running anything else on your computer. I'm not aware of any malicious kernels out there, but there's a HUGE difference between compiling a custom kernel and rewriting chunks of it to be malicious.

    Really, there's very little done when you compile a custom kernel - you're generally not writing any new code, merely changing the config to change what's included in the kernel package. It's as simple as checking things off a list and then making a sandwich while it compiles. If you're paranoid, you can ask maintainers for their .config file and then pull down and compile the kernel yourself, ensuring it's using the official kernel sources which are generally safe.

    On the other hand, someone would have to rewrite the modules in the kernel source code to do malicious activity while still maintaining the appearance of working as intended - far more work than writing a simple malicious piece of code and sending it out to people.
     
    Casao, Jan 7, 2009
    #2
  3. toastnted

    dattaway

    Joined:
    Sep 2, 2008
    Messages:
    198
    Likes Received:
    0
    Location:
    Kansas Citeeeeeeeeee, MO
    dattaway, Jan 7, 2009
    #3
  4. toastnted

    exwannabe

    Joined:
    Dec 30, 2008
    Messages:
    42
    Likes Received:
    0
    As the OP stated, this is all academic, but just for fun.

    The Q was wrt random kernel binaries, not peer reviewd kernel sources. In theory a huge difference, but in practice?

    I have 0 concern when I download the source from kernel.org and compile (even with a strangers .config).

    On a scale of 0-10, where 0 = power off and 10 = sending my bank info to the son of the ex PM of Uganda, I would rate loading a random kernel at < .001 .

    So to the OP, yes in THEORY it's a risk, but well less than opening up your bank account info in I.E. or even thinking about using Outlook.

    If you are truly paranoid, go with what casao suggested and dataway confirmed by going back to compiling yourself.
     
    exwannabe, Jan 7, 2009
    #4
  5. toastnted

    toastnted

    Joined:
    Dec 30, 2008
    Messages:
    18
    Likes Received:
    0
    Insightful replies, thank you :)

    I've used linux for several years now, but only as an end user so I figure I should start to learn some more about it.

    Many thanks again
     
    toastnted, Jan 7, 2009
    #5
  6. toastnted

    RockDoctor

    Joined:
    Aug 21, 2008
    Messages:
    963
    Likes Received:
    0
    Location:
    Minnesota, USA
    Compiling a kernel is relatively easy; it was one of the first things I did when I first started using Linux. If you're unsure of the provenance, download (but don't install) the custom kernel, compare the config file to the config file of a standard kernel, and if nothing is amiss, download the kernel source from kernel.org and compile using the custom config file.
     
    RockDoctor, Jan 7, 2009
    #6
Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.