This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: kprobes on by default in 2.6.20.1 kernel.org kernels
- From: Nathan DeBardeleben <ndebard at lanl dot gov>
- To: "Keshavamurthy, Anil S" <anil dot s dot keshavamurthy at intel dot com>
- Cc: "systemtap at sources dot redhat dot com" <systemtap at sources dot redhat dot com>
- Date: Thu, 01 Mar 2007 16:56:30 -0700
- Subject: Re: kprobes on by default in 2.6.20.1 kernel.org kernels
- References: <45E60F1E.80302@lanl.gov> <20070301214638.GA2353@bambi.jf.intel.com>
You know, it's not really me that has a problem with it. I subscribe to
the camp of: If it requires root to run a probe, then someone who has
root can already do some pretty nefarious things to your system.
However, due the fact that with kprobes you can slip in a probe, and
then even hide that probe from being reported, I think some people I
work with are scared that it leaves them slightly more exposed / vulnerable.
I'd love to be able to convince them to let me run probes on production
systems but at this time they're relegated to test machines. Honestly
I'd like to be able to add to my repertoire a good argument to allow
kprobes on by default on these machines but when you're dealing with
security plans and documents and whatnot a new technology like this is
easily deemed scary, unknown, and just relegated to the "security risk"
column.
-- Nathan
Correspondence
---------------------------------------------------------------------
Nathan DeBardeleben, Ph.D.
Los Alamos National Laboratory
Parallel Tools Team
High Performance Computing Environments (HPC-4)
phone: 505-667-3428
email: ndebard@lanl.gov
---------------------------------------------------------------------
Keshavamurthy, Anil S wrote:
On Wed, Feb 28, 2007 at 04:24:14PM -0700, Nathan DeBardeleben wrote:
I just wanted to probe (har har) to see if you guys knew why kprobes is
set to "Y" (in the kernel) by default on the latest 2.6.20.1 kernel I
got from kernel.org. I don't consider this a great move and am a little
worried about it. For one thing, I know now we'll actively make certain
it's off in all future kernels we build that are intended for production
machines.
Can you please explain your cause for worry in detail. In what way it
is causing problems. Hopefully we can address your concerns.
I grabbed the latest kernel to do some kprobes testing, went to
configure it to turn probing on and was very surprised to find it on by
default.
As a matter of fact, KPROBE is enabled by several major OSD like
Red Hat and SuSE on their enterprise versions and are in
the market since begining/middle of last year.
What's the process that the kernel maintainers go through to determine
which options are on by default anyway?
AFAIK, their is no formal process(depends on developer community).
And if you are building a kernel for production machine then I assume
you just don;t depend on default config which can turn on lots of stuff
intended for testing and experimental purposes.
-Anil Keshavamurthy