Re: patch for 2.1.84: configurable execute_program--testers needed

James Mastros (root@jennifer-unix.dyn.ml.org)
Sun, 1 Feb 1998 03:16:57 -0500 (EST)

On Sun, 1 Feb 1998, Trevor Johnson wrote:
> James Mastros wrote:
> > Boot-floppy! (of cource, you could just put a kernel on the boot-floppy...)
> > Security through obscrity at it's worst!
>
> I use an analogous patch with Linux 2.0 on a PC which I set up for the use
> of students at a high school.
If only my school where so enlightened... sigh.

> On this particular PC, I moved the cable to the
> position where it is not bootable. Other possibilities would be removing
> the floppy drive entirely or putting the main part of the computer in a
> locked cabinet. I thought the dangers of bootable floppies and insecure
> furniture were well-known.
Indeed they are. (My prefered solution would be to flop the bios switch for
booting off the floppy, then password-protect the bios. That way, students
can put things on floppies.)

> This patch does not rely on security through obscurity; it simply makes it
> possible for the user to configure out a seldom-used feature of the
> kernel.
Right... you can't use this patch for security, like (whomever I replied to)
sugusted.

> With the stock kernel, the feature is enabled whether the user
> wants it (or knows it exists) or not. Calling this "insecurity through
> obscurity" would not be a great exaggeration.
Not really. Disabling the init= option dosn't make the system much more
secure. You could, for example, put in a floppy with a root, and set root=.
Or you could put in a boot-floppy (on most systems).

-=- James Mastros

-- 
   "I'd feel worse if it was the first time.  I'd feel better if it was
   the last."  
   	-=- "(from some Niven book, doubtless not original there)" 
	    (qtd. by Chris Smith)