On Tue, 14 Nov 1995 15:09:31 -0500 
 "Perry E. Metzger" <perry@piermont.com> wrote:

 > to get that sort of information out without running any daemons on the
 > machine -- indeed, all my machines at home listen to the network
 > minimally if at all. This is important for security at many
 > sites. Besides, the idea of making system utilities like netstat
 > dependant on having a daemon running just plain feels bad.

That doesn't mean you have to run snmpd.  Just that sysctl() takes those 
arguments...

 > On the other hand, having netstat and other utilities (including ps
 > and others) use sysctl() could be potentially really good, both from a
 > point of view of cleanliness of interface and because such utilities
 > might not need suid privs any more, which can improve security a lot.

ps, et al don't need to be setuid.  instead, they're setgid kmem, and 
group kmem has read-only access to the kvm space.

I think, though, that people seem to be missing one of the _really_ 
important features of using libkvm in these cases: it works on dead 
kernels/crash dumps.  Try using a procfs-based ps(1) to look for the 
process that made the last kernel panic and dump core.  So, if you have 
to keep the libkvm interface around anyhow, why add a completely 
different and less flexible interface?

 > Again, although this is technically what the standards say you should
 > do, I'm not sure it actually feels good. I've been in environments
 > where people have experimented with lots of remote management tools,
 > and SNMP is great for getting stats off of routers but lousy for
 > actually altering their configurations -- and it seems like a lose for
 > running machines.

I'd tend to agree.  Community string are somewhat less than secure, but 
you can always configure the agent to allow read-only access.

------------------------------------------------------------------------------
Jason R. Thorpe                                         thorpej@Xenotropic.COM

           Just me and my collection of obsolete computer gear(s).