Re: Kernel Compile which is better modules or in the kernel

Sat, 9 Oct 1999 13:30:51 -0700 

Steve Youngs wrote:
> 
<snip>
> 
> > Using modules...

<snip agreed>
> 
> > 3.) ...lowers security a bit
> 
> Totally Disagree
> 
Of course you do... We had this exact discussion some time ago here on
lnml. Since then, I found a message to bugtraq from a few years ago that
described a module that - once loaded - would redefine syscalls like
read and write to mask it's existance entirely.

They could e.g. hide arbitrary content of directories and even fake
lsmod. So you have a means of compromising a system without _any_ chance
to be reveiled[1]. Not something you want to happen.

[1] There was a very special way to detect this single module, but you
can easily imagine other modules that do not show up in this very
special check.

> > 4.) ...is enforced by some drivers (e.g. NeoMagic audio :-( )
> 
> Is a good thing. :-)
> 
This particular case is _very_ annoying: You can make the driver only
modules, but it must not be loaded after X has been started, because
this d*mned NM chipset uses video RAM for playbck buffers or that sort
of thing. So you end up insmod'ing it at startup time and all your
advantages go away. So why the heck am I not allowed to compile it into
the kernel?

> > 5.) ...is impossible / can be complicated with some drivers (scsi? eth?)
> 
> Disagree.
> 
Example of impossibility: CONFIG_INET.
I read somthing about scsi being hard to do as modules in either the
PCMCIA or the IR howto.

<snip agreed>

> > 7.) ...requires editing conf.modules/modules.conf most of the time
> 
> Yes and no.
> 
Yes or no? Judge for yourself:

serial module compiled in:
Q> alias char-major-4 off

using IrDA:
Q> alias tty-ldisc-11    irtty
Q> alias char-major-161  ircomm-tty

and worse: using loop device encryption:
Q> alias loop-xfer-gen-0 loop_gen
Q> alias loop-xfer-gen-10 loop_gen
Q> alias cipher-4 blowfish            # Blowfish
Q> alias cipher-6 idea                # IDEA
Q> alias cipher-7 serp6f              # Serpent
Q> alias cipher-8 mars6               # MARS
Q> alias cipher-11 rc62               # RC6
Q> alias cipher-15 dfc2               # DFC
(more to follow for internat. kernel 2.2.12.2)

8.) ...slows down the kernel (from the security howto FAQ section)

Marc

-- 
Marc Mutz <[EMAIL PROTECTED]>                    http://marc.mutz.com/
University of Bielefeld, Dep. of Mathematics / Dep. of Physics

PGP-keyID's:   0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH)

Reply via email to