On Sun, Jun 17, 2001 at 01:21:45PM +0300, Juha Jäykkä wrote:
> > lcap CAP_SYS_MODULE CAP_SYS_RAWIO
> > which will disable module loading entirely as well as access to
> > /dev/mem (which can be just as dangerous as a kernel module and would
> > bypass your signed module thing nicely).
>
> Which means: so long, X. I have a workstation and using X in,
> naturally, necessary (in fact, it is paramount since 3D rendering
> without Xfree4's opengl is horrible). Thus this option is out. How
> about compiling the kernel without module support in the first place?
> The problem of /dev/mem would remain, but if the kernel does not know
> about modules, is it a problem?
compiling without module support would be mostly the same as just
lcap CAP_SYS_MODULE
leaving /dev/mem open leaves you open regardless of how you stop
module loading.
i suggest installing all security updates immediatly when they arrive
and vigilent sysadmin. those will keep your box uncompromised better
then anything (except turning it off).
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
