Top post FTW. On Mon, Nov 08, 2010 at 12:05:05AM +0000, Cian Brennan wrote:
On Fri, Oct 29, 2010 at 11:45:51PM +0100, James Reggie Reilly wrote:
After barely reading this thread I'd be all for blaklisting shit code we've no use for.
And loading modules after boot is really handy, I can't think of a use RedBrick would have for doing it though, but I use modprobe all the time.
So, continuing on this discussion
Firstly, we should blacklist X.25 (net-pf-9 is the module). I don't think it realistically affects us, but CVE-2010-3873 gives you a remote DOS based on some bug in this code.
Secondly, can I suggest testing disabling module loading on carbon? If it works there, we can look at moving it to some of the more important machines, if it doesn't, we can just reboot it, without any great effects, given that it runs no real services.
Thanks Cian
I'd be up for this alright. We should open a ticket for this in, you know, our ticketing system. We can then add to that ticket the list of modules to blacklist, instead of a mail buried in my inbox.
On Fri, Oct 29, 2010 at 04:17:13PM +0100, Cian Brennan wrote:
On Fri, Oct 29, 2010 at 04:06:37PM +0100, Austin Halpin wrote:
On Fri, Oct 29, 2010 at 01:41:47PM +0100, Andrew Harford wrote:
On Fri, Oct 29, 2010 at 11:34:58AM +0100, Cian Brennan wrote:
I'd like to suggest that in future when we find a bug in any of the kernel modules we have no reason to ever use (and there are almost certainly lots of these), we blacklist the module from then on. Someone should add a page to docs with a list of the modules we have blacklisted, and what they do then, so as to make it easier to keep the list across new installs, and so that people can figure out what's wrong when we do decide we need one of them.
This is a good idea. +1 There's no reason we couldn't include a modprobe conf in a package, that would ensure the blacklist stayed consistent across all machines and new installs. yes, I am definitely in favour of this.
Is there a reason we need to be able to load modules after boot though?
http://www.crashcourse.ca/introduction-linux-kernel-programming/lesson-3-car...
Just from briefly reading this, it seems that they're pretty handy. I'm not sold on disabling the ability to.
Theoretically, they're pretty useful. I'm not sure that there are that many use cases for us in particular. Certainly, I can't think of any.
-- Andrew Harford
Did you hear that Meg? Guys can marry other guys now. So...this is awkward, but I mean, if they can do that, that is pretty much it for you, isn't it? I mean you as well pack it in. Game over. --Stewie Griffin
_______________________________________________ Admin-discuss mailing list Admin-discuss@lists.redbrick.dcu.ie http://lists.redbrick.dcu.ie/mailman/listinfo/admin-discuss
_______________________________________________ Admin-discuss mailing list Admin-discuss@lists.redbrick.dcu.ie http://lists.redbrick.dcu.ie/mailman/listinfo/admin-discuss