[Gllug] Partioning advice needed

- Tethys tethys at gmail.com
Tue Feb 20 11:55:43 UTC 2007 

On 2/20/07, Nix <nix at esperi.org.uk> wrote:

> I dunno. systemtap's `write a kernel module and compile it' feels icky
> at first sight, until you consider that without that you'd need a
> kernel-side interpreter, and one of those (ACPI) is quite enough.

Oh agreed. I though it was a hideous hack at first, until I realised
that the alternative is to put the interpreter into kernel space,
which IIRC is what dtrace does.

> > a matter of time before it caught up and overtook dtrace. It still
> > has some useability issues (particularly when, for example, trying to
> > trace a program on a production box without a C compiler),
>
> That's never going to work.

Actually, it does. You need to jump through a few hoops to do it, but
it's quite feasible to compile up the kernel module on another box,
and copy it over for systemtap to use. It's just a pain in the arse.
Apparently, they're looking to make this easier in the future.

> some idiot security staffs seem to think that C compiler -> security
> hole, perhaps thinking that the days when worms and rootkits sent C code
> over the net and compiled themselves on the target were still with us:
> hint, they're not).

That's not the problem. There are two issues. Firstly, as a general
principle, I have as little installed on my production boxen as
possible. If nothing else, that means a yum / apt-get update doesn't
update a load of useless stuff that you neither use or care about (and
hence, you dont risk having something you *do* care about getting lost
in the noise). Secondly, a compiler *is* still a security risk. Less
so from worms and rootkits, but if someone is able to exploit a
vulnerability and get to a shell, then being able to compile arbitrary
code gives them a head start. Yes, there are ways around it (I've cut
and pasted uuencoded binaries into a redirect to a file in the past to
get around this), and it's a fairly small risk in the greater scheme
of things, but it's just raising the bar that little bit higher, and
as far as I'm concerned, every little helps. Besides, what valid
reason is there for having a compiler on a production box anyway?

> I'll find it much more useful when it works in userspace too: nearly
> all my work is on userspace apps.

That's true, but I tend to find most of the problems with my userspace
apps stem from either their interaction with the kernel or with their
memory management. Systemtap is invaluable in the former case, and
valgrind takes care of the latter.

Tet
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list