>
> Hey! Did you see what Marc Mutz wrote on Aug 9 ?
>
> MM> Steve Youngs wrote:
> MM> >
> MM> <snip>
> MM> > MM> True, but then it just opens another door to attackers, because it is
> MM> > MM> surely easier to modify a file (/etc/modules.conf) to load
> MM> > MM> trojan_horse.o instead of ppp.o than poke around directly in the kernel
> MM> > MM> image.
> MM> >
> MM> > Okay, granted, it would be far easier to modify /etc/modules.conf than it
> MM> > would be to poke around in a kernel image. But to do this the attacker
> MM> > would need to gain access to your box in the first place. And
> MM> <snip>
> MM> Unfortunately you snipped the answer to your question. I said that this
> MM> would be a hypothetical attack, because there are other things you could
> MM> break when you can write to the root partition. Note that I'm not only
> MM> speaking of attacks when Linux is up'n'running. There are attacks
> MM> possible much more easily if you have physical access to the box and
> MM> e.g. boot dos to fiddle around in Linux's peritions.
When in dos how does one mount an ext2 partition.??
>
> Then, hypothetically speaking of course, if you let someone who
> can't be trusted have physical access to your computer you deserve to have
> your system trashed. :-)
What is not hypothetical is the fact that network computers normaly speaking
are behind locks and keys, or they are at least in our network and many
other networks from my freinds and associates. There is no way anyone else
other than the network administrator who can access the machines with his
keys and have root privs. Others who can login to the net machines do not
have any other privs, more than your normal user, so in my opinion most of
Marc's thoughts could be considered pipe dreams, unless he is talking about
his personal computer just sitting on a desk somewhere and he leaves a root
window open when he goes to drink coffie in the company cantine, that would
be his fault and his fault alone.
>
> MM> > I think that the advantages of modules far outweigh the so called security
> MM> > risk that you are talking about. And besides if you are that paranoid
> MM> > about it you could always set the immutable bit on /etc/modules.conf. (man
> MM> > chattr, man lsattr).
> MM> See above.
>
> See above's above.
There is nothing beter than modules, its just that we dont seem to be able
to explain that to Marc.
>
> MM> > What about all the people out there (and I definately fall into this
> MM> > category) who want to play? Say for example you think that one day you
> MM> > might like to play around with ramdisks or with loopback devices
> MM> > (filesystems in a file), or with a slip connection... In my kernel those
> MM> > things would be modules and would only get loaded if and when I ever get
> MM> > around to playing with them. But in your kernel, they are all in the
> MM> > kernel all the time. Now that seems to me to be a huge waste of
> MM> > resources.
> MM> What do you call 'huge'? I have in my kernel
> MM> - SCSI
> MM> - encryption over loopback dev's
> MM> - ISDN
> MM> - IP FW & MASQ
> MM> to name but the not-so-common and it is still only 617K in image form.
>
> My kernel has lots and lots of "not-so-common" things as well and
> my kernel image is only 370K. Which means that, initially at least, my
> machine is using far less resources than yours. And only has to chew up
> those extra resources if and when I need them.
As indeed i explained this in a earlier post to Marc, however he just did
not see my point.
>
> What you are doing is akin to packing a suitcase full of clothes,
> grabbing your wallet, credit cards, check book and cash. Then hiring a
> car, when all you want to do is buy a newspaper from the shop that is one
> block away. On the other hand I have everything I need to go on an
> extended journey, but when all I want to do is buy a newspaper I can just
> grab some loose change and walk to the shop.
>
Like my girlfriend when we go on holiday, if she could she would pack the
kitchen sink and take with her.
> MM> I have 128M of RAM, so my kernel takes far less than 1% of it. Why
> MM> should I bother myself with 0.2% of my RAM? That's less than an instance
> MM> of rc5des uses. If I need more RAM, I have other, more useful options:
> MM> - buy more
> MM> - disable unused permanent deamons and make them slaves to inetd
> MM> - reduce the number of concurrent instances of apache from 5 (the SuSE
> MM> default) to 4, which gives me something between 1M and 2M of free RAM.
>
> I don't know, maybe its just my old programming background, but
> using modules seems to me to be a much better way all round to do things.
> At least it makes a lot of sense to me. :-)
It _is_ the best way, even the _real guru's_ say that, the ones that actualy
write kernel drivers and code.
>
> I disagree with the option of buying more RAM...Admittedly, RAM is
> dirt cheap (compared to the days when you paid well over $100/Mb), but
> some people (yep, me again) can't afford it still. Another restriction is
> that it isn't always physically possible. I'm using a motherboard that
> has the RAM maxed out at 32Mb because it is physically broken. :-( And
> this is another reason why I am so fond of modules...When you only have
> 32Mb of RAM a 1 or 2% reduction of RAM usage is noticeable. :-)
I explained to Marc about how much memory is used by the kernel at bootime,
also about the "speed" thing which started this thread, the smaler the
kernel the faster it is and the less memory it uses, he just could not see
what i meant, i can understand why i included an example.
>
> I will be looking into the inetd and apache thing though. Thanks
> for the tip.
>
> MM> > Lets look at another example... a soundcard. Not many people constantly
> MM> > access their soundcard, it usually only gets used a small fraction of the
> MM> > time the computer is up. So where is the logic behind having the
> MM> > soundcard drivers permanently in the kernel?
> MM> >
The soundcard is just one example, how about video4linux, if bttv was
compiled into my kernel it would consume one heel of a lot of resources, as
it is i have it all as modules, as soon as i insert the module for bttv it
generates interrupts and rather a lot i might add and that before i start
the applications to receive tv or use the webcam, just imagen if it were in
the kernel.
> MM> If you run many different kernel versions like I do, you don't want the
> MM> modules to come in your way:
> MM> # /sbin/lilo
> MM> Added linux *
> MM> Added linux-2.2.7
> MM> Added linux-2.2.9-md
> MM> Added linux-2.3.8
> MM> Added linux-2.3.9
> MM> Added linux-2.2.10i
>
> Could you please explain how on earth this could be a problem. I,
> too, run more than one kernel version (2.2.10 & 2.3.12). The modules are
> kept in separate directories so there is no problem.
> /lib/modules/2.2.10/
> /lib/modules/2.3.12/
> Or am I not understanding what you are trying to say?
I have had upto 15 different kernels here, not one module has ever gotten in
my way, i agree with Steve, you will need to explain what you mean here.
>
> MM> > When you are home alone at night, do you have all the lights on, the TV in
> MM> > the living room on, TV in the bedroom on? And when you go to bed do you
> MM> > leave all the lights etc on or do you turn things on and off as the need
> MM> > arises? Why should your kernel be any different? If it will save on
> MM> > resources and RAM, why not use modules?
> MM> >
> MM> That's not a comparison that makes sense.
> MM> If I switch off all the lights and entertainmaent electronics, I reduce
> MM> my power comsumption to around 10 to 20%. If I did everything I could as
> MM> modules and compared the unloaded with the fully (module-)loaded kernel,
> MM> I would gain perhaps 20% difference. That's not worth writing a new init
> MM> script for... and it becomes even less so if you consider the maximum
> MM> amount of power/RAM you could theoretically use. Also saving power saves
> MM> me money, saving 100K of RAM saves me not a single swapped page :-)
>
> You've missed the point. Look at the analogy again. But this
> time try not to complicate it with useless numbers and percentages. The
> moral to the story is: "Why should I make my computer work harder and use
> up valuable resources just in case I might want to use something today?"
I wonder what uptime would say for system load averages when he is working
with his machine.
>
> MM> Bottomline: You have your philosophy, that many others share with you
> MM> (mostly "end users" for want of a better term), I have mine that also
> MM> many people share (mostly "kernel hackers" FWOABT).
>
> I would disagree with this argument as well. Wouldn't a kernel
> that uses modules be better for a "kernel hacker"? If a hacker is working
> on something in the kernel he/she could insert their module into a running
> kernel to test it, and if it didn't work, simply remove it, debug,
> re-compile, re-insert into the same running kernel and re-test.
That is another _big_ advantage, one which i have not mentioned, now one
would think that a self proclamed "kernel hacker" (after all said and done
thats the way Marc describes himself) would know about things like that.
>
> You on the other hand would have no alternative but to re-compile
> your entire kernel and re-boot your computer. I guarantee, that after
> the 16th successive re-boot you'll be saying to yourself "man, there's
> gotta be a better way"
Thats hitting the nail on the head...
>
> Even Linus uses modules. :-)
Was it not his idea as well.
>
> Regards, Steve Youngs <[EMAIL PROTECTED]> ICQ: 34307457
> ------------------------------------------------------------
> | __ |
> | Isn't it good to know that / / __ ___ __ ____ __ |
> | There _IS_ an alternative! / /__ / // _ \/ // /\ \/ / |
> | /____//_//_//_/\_,_/ /_/\_\ |
> ------------------------------------------------------------
>
--
Regards Richard.
[EMAIL PROTECTED]
