Ralf Hemmann wrote: > > > Why get your floppy driver ( +- 70K ) into the > > main kernel of my servers if i'll probably use it no more than 2 times a > > week ??? > > The answer is simple: > > For security reasons on firewalls (and other servers espacially with user > shell accounts) you should always use, if possible, > a kernel with no module support at all.
Why? It takes root to install modules; if your firewall has been compromised at root level, you're done for. If you installed compromised source as root, then compiled it, it matters not if you compiled it into the kernel or into modules. If I can install a module into /lib/modules as a user, your system is really insecure. If I can run modprobe as a user, and install as user, your system is insecure. eg.: yan@oberon scsi]$ /sbin/modprobe st /lib/modules/2.2.19/scsi/st.o: create_module: Operace nen? povolena /lib/modules/2.2.19/scsi/st.o: insmod /lib/modules/2.2.19/scsi/st.o failed /lib/modules/2.2.19/scsi/st.o: insmod st failed [yan@oberon scsi]$ su Password: [root@oberon scsi]# /sbin/modprobe st [root@oberon scsi]# Modules pose no additional risk at all. See various lengthy discussions on deja on the topic. --Yan -- Famous first words: My, my, my, my, my! Jason, age 16 mos, to his older sister 8:59pm up 18 days, 14:27, 20 users
