Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OT] Re: [tlug] Sorry to Hijack a thread but whats wrong with LILO



On Wed, Feb 26, 2003 at 09:37:12AM -0500, Josh Glover wrote:
> Quoth Martin Baehr (Tue 2003-02-25 03:27:14PM +0100):
> > 
> > if there is a security problem, it's always userland.
> 
> I disagree. Case in point: newer kernels in the 2.4.x series (at least, the
> ones packaged by Gentoo and Red Hat--I cannot comment on the vanilla tree)
> allow you to add zlib support *to the kernel*! Needless to say (so why am I
> saying it?), I avoid such stupidity. I also avoid things like Tux. If you
> run a webserver in kernel mode, expect buffer overflows, chunking exploits,
> etc to bite you in the arse, and hard.

Being completely fair you are both right. almost all the exploitable
bugs are in userland.  The problem is Linux has developed a very bad
habit of allowing people to compile bits of userland into the kernel.
> 
> Anyway, getting back to zlib, anyone who reads BugTraq knows that zlib has
> had a bad six months or so. If you have that code in your kernel, voila:
> you have a kernel vuln.

True, if you are idiotic enough to enable this sort of support into your
kernel you are begging for trouble.

> 
> In a perfect world, Martin, you *should* be right. In BSD, for example,
> kernel bugs are less frequent, due to the BSD developers being able to resist
> the stupid urge to drop the kitchen sink in the bloody kernel.
> 
> In the Linux world, you are flat wrong.
> 

Do you agree with this statement. If you have a sanely configured your
kernel, and don't compile the kitchen sink into your kernel then generally
you aren't in significant danger of a kernel security hole.  I certainly
feel safe betting on my kernels vs. my userland, and that is because I
have had to replace userland any number of times for security problems
with nary a sigle case where my kernel was the problem.

I do agree that the linux kernel crew are really overly willing to let you
shoot yourself in the foot without really explaining why userland should
be cleanly seperated from the kernel.  Its even a bigger problem since most
of the distributions are busy trying to make linux accessible to the common
man.  I see an explosive convergence of the two in the future.


--Matt


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links