Re: (harmless?) race in module loading.

James Mastros (
Mon, 18 May 1998 23:08:24 -0400 (EDT)

On Tue, 19 May 1998, Chris Wedgwood wrote:
> > Does this matter?
> I'm basically of the opinion that anyone who can cause a module to be loaded
> should be considered to have some kind of trust anyhow... this means if you
> use serial ports as a module, then anything that can open these devices
> should be considered special so some extent.

I would tend to disagree: if all the files involved are only writable by
root, there is no reason why we shouldn't trust dynamicly loadable
modules. The basic theory, IMHO, is that if there is no reason why
somthing is fundemently untrustable without castration, we should make
every reasonable attempt to make it trustworthy. As far as I can tell,
there is no reason why dynamicly loaded modules are fundemently
untrustable, assuming that we trust all users who can write to any of the
files involved in the process of loading the module, *after the trigger*.
That is to say, if we trust /etc/{modules.conf,conf.modules},
/proc/sys/kernel/modprobe (and the file it points to), and the module
itself, there is no reason that dynamicly loading the module should be any
less safe then allowing the user to use compiled-in kernel drivers.

I certianly won't dissagree, however, if you are saying that anyone who
can load _arbitary_ kernel modules is speical -- indeed, more powerful
then even root without that power.

-=- James Mastros

True mastery is knowing enough to bullshit the rest.
	-=- Me

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to