I am aware that many of the options I am requesting information about
are availible as extensions, modules, and configuration file options.
However, I am still interested in enabling / disabling these options at
the kernle level. For example, when I asked about the KERNEL LEVEL
customization of allowing or disallowing IP packet forwarding I am more
interested in DISABLING it via the kernel.
Basically as written above it is done via a sysctl, which can only be performed by root (or sudo enabled users with root access - the administrator checkbox does this). So if you explicitly set this to zero, nobody can do forwarding, removing the entire code from the kernel should not change much, because someone with root priveledges should be able to boot any kernel, so even with no kernel on the box, one could create one and put it on the box if there is somehow access from/to the outside (network, disks, cds, etc.). So there shouldn't be any other risk.
[...] Additionaly, disabling a
CD-burner in kernel space has its reasons as well. Assume I want the
ability to burn CD's and am willing to swap kernels for this. I want to
be assured that other users of my systems ARE NOT burning CD's which may
contain
proprietary data. Essentially trusted users have access to the CD-R
enabled kernel... other users dont. These are the kinds of "hobby
projects" that I work on! Admittedly these proceedures are a bit
extreem...but as a security consultant I am always interested in the
MANY ways a solution could be achieved.
One question would be, how you will do the trick, that only special recignized people are able to boot one specific kernel? At least the standard boot process does not enable one to choose which kernel to boot after authentication. The user authentication is done after kernel is loaded. So there should be some way, but as far as I understand openfirmware and stuff, I will be able to enter openfirmware and noone will stop me. At least if there is some password feature, I could simply erase nvram/etc. using some killing keystroke or pressing some button (it is done with some key-combination on my iBook) and then using standard key combination to enter open firmware and tell it by hand, which kernel to boot. On the other hand, you could simply use darwins ability to load kernel extensions at runtime (and unload them) without changing kernels. If just one kernel extension is used for burning CDs (and this is not done through the userland tools which just need raw access to CD-writers) you could disable it. But maybe all the stuff is done in userland, so there would be two solutions: a) disabling whole CD/CD-writer access (so no reading of CDs possible) b) enabling all Well there would be another solution. As far as I understand, CD-writers need direct access to the drivers to send them arbitrary commands. Maybe you are able to just disable this ability, maybe this can be done by changing some sysctl. -- Greetings Matthias Kretschmer _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.