[nycbug-talk] kernels

Bob Ippolito bob
Thu Jun 3 17:49:47 EDT 2004


On Jun 3, 2004, at 5:34 PM, Roland C. Dowdeswell wrote:

> On 1086295432 seconds since the Beginning of the UNIX epoch
> Bob Ippolito wrote:
>>
>
>> The security argument is kind of silly, because if that really was a
>> concern you could add a sysctl that lets you turn module loading off
>> (forever) at runtime.  So you boot up, load your modules, and turn
>> module loading off.  In practice, nobody really does this (as far as I
>> know) because only root can load kernel modules and root can do
>> whatever he wants anyway, whether or not the kernel is split into 1 or
>> 1000 pieces.
>
> There are things that you do not want to allow even root to do
> without dropping into single user mode on the console.  And you
> have to disable LKM loading in order to get there.  E.g. on NetBSD
> in secure level > 0, root cannot grovel the PCI bus and directly
> access hardware, write to immutable files, etc.

Sure, but that is completely orthogonal to *having* LKM.  It's very 
easy to have a kill-switch sysctl that turns it off until the next 
reboot.

-bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2357 bytes
Desc: not available
Url : http://lists.nycbug.org/pipermail/talk/attachments/20040603/30a67e3d/attachment.bin 



More information about the talk mailing list