David Laight wrote:

> On Sun, Sep 07, 2003 at 02:29:25PM -0400, kpneal@pobox.com wrote:
> > Moved to tech-kern because my question has nothing to do with
> > source commits in progress.
> > 
> > On Sat, Sep 06, 2003 at 08:14:40PM +0100, David Laight wrote:
> > > Of course, if you can read /dev/mem you can find the current state.
> > 
> > Say, why do we need /dev/kmem and /dev/mem these days? Are they
> > still needed for ps and friends? X11 device drivers?
> 
> ps doesn't but there are still programs that think it is a good idea
> to trawl trough kmem to find data.
> 
> > Wouldn't we be better off security-wise without them? 
> 
> yes.
> 
> > Would it be reasonable to make them optional?
> 
> Might be interesting to see just how much doesn't work :-)
> 
> No stats from ipf, not sure about top, vmstat, much of systat, some
> brain-dead tcp utilities that grovel out tcp sequence numbers....

top is safe, but many of the other *stat programs aren't.

"find -x / -group kmem -perm -02100" shows:

	/sbin/ccdconfig
	/usr/bin/fstat
	/usr/bin/modstat
	/usr/bin/netstat
	/usr/bin/sysstat
	/usr/bin/systat
	/usr/bin/vmstat
	/usr/sbin/pstat
	/usr/sbin/slstats
	/usr/sbin/trpt
	/usr/sbin/trsp

I have just about finished mods for vmstat to use sysctl (and thus drop
the kmem bit).  Someone else has part (most?) of netstat done.  ccdconfig
is in that list for hysterical raisins.  systat will pretty much come
last since it fetches lots of different types of info from the kernel.

Simon.
--
Simon Burge                            <simonb@wasabisystems.com>
NetBSD Support and Service:         http://www.wasabisystems.com/