Hey! Did you see what Marc Mutz wrote on Aug 7 ?
MM> Richard Adams wrote:
MM> > You will have to explain that one as a normal _user_ cannot load or unload
MM> > modules. Not on my machines at least.
MM> >
MM> <snip>
MM> True, but then it just opens another door to attackers, because it is
MM> surely easier to modify a file (/etc/modules.conf) to load
MM> trojan_horse.o instead of ppp.o than poke around directly in the kernel
MM> image.
Okay, granted, it would be far easier to modify /etc/modules.conf than it
would be to poke around in a kernel image. But to do this the attacker
would need to gain access to your box in the first place. And moderate
security measures such as a properly set up firewall and
/etc/hosts.allow|deny files will stop the majority of "would-be-crackers".
I think that the advantages of modules far outweigh the so called security
risk that you are talking about. And besides if you are that paranoid
about it you could always set the immutable bit on /etc/modules.conf. (man
chattr, man lsattr).
MM> but if you don't really need modules, why keep one more door open?
How about...because it saves RAM ?
What about all the people out there (and I definately fall into this
category) who want to play? Say for example you think that one day you
might like to play around with ramdisks or with loopback devices
(filesystems in a file), or with a slip connection... In my kernel those
things would be modules and would only get loaded if and when I ever get
around to playing with them. But in your kernel, they are all in the
kernel all the time. Now that seems to me to be a huge waste of
resources.
Lets look at another example... a soundcard. Not many people constantly
access their soundcard, it usually only gets used a small fraction of the
time the computer is up. So where is the logic behind having the
soundcard drivers permanently in the kernel?
When you are home alone at night, do you have all the lights on, the TV in
the living room on, TV in the bedroom on? And when you go to bed do you
leave all the lights etc on or do you turn things on and off as the need
arises? Why should your kernel be any different? If it will save on
resources and RAM, why not use modules?
Regards, Steve Youngs <[EMAIL PROTECTED]> ICQ: 34307457
------------------------------------------------------------
| __ |
| Isn't it good to know that / / __ ___ __ ____ __ |
| There _IS_ an alternative! / /__ / // _ \/ // /\ \/ / |
| /____//_//_//_/\_,_/ /_/\_\ |
------------------------------------------------------------
