[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Sat, 13 Mar 2004 01:19:23 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: modules on the CD - yet another question
On Fri, Mar 12, 2004 at 08:53:28AM +0100, m.siennicki@...os.pl wrote:
> Then maybe there is enough room to add just BusLogic support
> (for VMware)?
Is that CONFIG_SCSI_BUSLOGIC?
Why does VMware require it?
> And just one more off-topic question (I'm interested what others
> think about it):
> Isn't a kernel with modules support disabled more secure then
> a kernel with the support enabled?
Well, if you want my opinion:
Yes, but very slightly. There're two reasons why this might make a
kernel a little more secure: this makes it somewhat harder to reliably
install kernel-level backdoors and reduces kernel code size thereby
potentially reducing the number of bugs there might be. (Of course,
this assumes that you do not compile in extra/unneeded functionality
"just in case" simply because you have disabled module support.)
But in practice, it was only the first factor which mattered some
years ago (at around 1997-1999 when lkm-based rootkits for Linux
already existed, but kmem-based ones did not), and the point is moot
these days with the widespread kmem-based rootkits. (Yes, it is
possible to patch the kernel to make kmem read-only, forcing rootkits
to resort to even more complicated and less reliable tricks.)
--
/sd
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux