Date: Sun, 9 Jul 2000 18:02:27 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> Cc: Marius Bendiksen <mbendiks@eunet.no>, Adam <bsdx@looksharp.net>, arch@FreeBSD.ORG Subject: Re: making the snoop device loadable. Message-ID: <20000709180227.W25571@fw.wintelcom.net> In-Reply-To: <39691C98.2C0DF9F7@vangelderen.org>; from jeroen@vangelderen.org on Sun, Jul 09, 2000 at 08:45:12PM -0400 References: <Pine.BSF.4.05.10007100149380.88568-100000@login-1.eunet.no> <39691C98.2C0DF9F7@vangelderen.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* Jeroen C. van Gelderen <jeroen@vangelderen.org> [000709 17:45] wrote: > Marius Bendiksen wrote: > > > > > Why did it exist from FreeBSD-WhoKnowsWhen until 1999? I'd like to use X > > > > As I recall, this had something to do with shrinking the kernel for > > PicoBSD, amongst other things. > > > > > why NO_LKM is bad but couldn't find anything. Could you help me find a > > > discussion on it or tell me why disabling kernel modules is *not* > > > security? Assuming I'd notice a reboot and would consequently whup some > > > butt if someone did. > > > > Thing is; disabling kernel modules will avail you little, as an > > illegitimate user can still use the memory devices to access physical > > memory, and thus binary patch a live kernel. This is hard, but it can, and > > has been done. > > Sure. But that may not be in one's threat model. Sure, a > NO_KLD could be worked around in theory but maybe not in > practice; Which means it can be very useful albeit maybe > not for you. It's not very useful, the second some weenie posts his canned "load a kld on freebsd even with NO_KLD" 'sploit', it'll all be over in a most embarrasing way, all admins foolishly relying on such 'protection' will have to scramble to fix things properly. Here's it in a nutshell, it was less than trivial to get the snoop device loadable. Right now there is no 'NO_KLD' switch. Raise secure level or don't give out root. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000709180227.W25571>