variant symlinks vs VFS, and microkernels vs error kernels

Mike Porter mupi at mknet.org
Sat Oct 4 08:36:52 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 03 October 2003 07:21 pm, Chris Pressey wrote:
> On Fri, 3 Oct 2003 15:11:10 -0600
>
> No, we don't need to force anyone...
> If VFS is done right, everyone will *want* to use it :)
>
As sander pointed out, what about sysdmin overhead?  Yes, VFS is desireable, 
nobody here (that I know of) is arguing anything else.  However, for my use, 
which is basically my computer at home, I don't need VFS.  I don't want to 
spend the time configuring it, and making it work right.  I would probably 
play with it some, so that I would know how at some point in the future when 
I may need it, but unless it has something other than things previously 
discussed, it simply isn't worth it for my situation.

> > For me, for exmaple, VFS is waaay overkill; all I want is to
> > be able to install perl 5.8 and gcc 3.4, without killing my system
> > compiler and perl interpreter.
>
> Then, honestly, variant symlinks are probably overkill too.
>
> I mean, in a sense, this problem was originally "solved" with $PATH - if
> program X needs a specific version of Y, prepend the directory that that
> version of Y is in to the $PATH, before running X.  Problem solved!...
> except for li'l things like include files (generally have their own
> $xxx_INCLUDE_PATH) and hash-bang (and I have no idea why hash-bang
> doesn't honour $PATH) and fully-qualified references to programs for
> security reasons and oh, by the way, $PATH generally just kind of sucks.
>

AS you point out, $PATH doesn't actually solve the problem.  Installing, e.g., 
a new version of gcc will almost certainly mangle something in my system's 
compiler.  Done right, under variant symlinks, the new version of the 
software will never see the stuff which belongs to the old version of the 
software.  Yes, it is less 'secure' but security is not the primary concern 
for me.  As I said, I have my one computer; its not like I am hosting the 
hotmail site or something, where there are 20 million people trying to break 
my site every day.

> > Some of the other advantages that come along for the
> > ride, such as /usr/src as a varant symlink, allow me to more easily
> > deal with multiple source trees are nice, but not necessary, in the
> > same sense.
>
> And even more stuff has the potential to come along "for free" with VFS,
> as I understand it.
>
yes but at what cost does the stuff come 'for free'?  with variant symlinks, 
there is no cost if you don't define them.  With VFS, I assume you could turn 
it off with kernel options, and there would likewise be no cost....but also 
no benefit.  variant symlinks could also be set up to be disabled from kernel 
config, as well as on a per-filesystem basis at the time mount is run by 
specifying a flag.

> > [...] But why can't we have both?
>
> No reason, except that multiplicity begets complexity.
>
> Let me qualify that.  Insofar as the level of complexity is manageable,
> diversity is a good thing.  After a point, though, it becomes
> overwhelming.
>
> Yes, the level of complexity of using just varsyms and VFS together is
> probably manageable.  But add to those: regular symlinks, hardlinks,
> $PATH, chroot's/jails, unionfs/nullfs, paths and other magic *in*
> varsyms, shell aliases, wrapper scripts, and executables that act
> differently depending on the value of argv[0]... and you've got yourself
> quite the rat's nest.
>
none of these would be really any different with or without variant symlinks, 
especially if we do as matt suggests, and simply treat them as symlinks for 
the purposes of ls and the like.  This does make a stronger case for VFS for 
those who are wanting something to enhance the security of their system. 
(something that nobody has claimed, at least not that I saw, for variant 
symlinks).  argv[0] is not going to go away, regardless of whether you use 
VFS or variant symlinks.  but the variant symlinks make it clearer, where VFS 
can make it appear that it acctually is a different program.  hardlinks and 
$PATH will still be present in VFS.  chroot/jail will be much nicer, 
stronger, anyway, with VFS; but nothing in variant symlinks changes this or 
makes it harder or more complex.

> If I could scrap it all and just use VFS, I would.
> At the very least, it would put all the configuration in one place, I
> imagine, instead of having it sprawl everywhere, as it does today.
>
> > [...] sure poking
> > through /usr/local/gcc/ would eventually get them a gcc, but changing
> > permissions on the directory /usr/local/gcc/ to prevent execution
> > prevents ls from showing anything, effectively blocking them unless
> > they know enough to guess the directories below it.
>
> I realize it's a subtle and somewhat paranoid idea that's probably more
> appropriate in OpenBSD circles, but say I want to really lock down a
> system in this way.  I don't just want a directory that can't be listed
> - the very existence of such a directory could give an attacker clues
> about how I've set up my system.  And let's say there's a badly-written
> setuid binary lying around; the attacker might be able to exploit it to
> get into that directory.
>
If you are seriously in need of a system that secure, just run "ifconfig 
<interface> down" and you needn't worry about 'net attacks from <interface>.  
There's still physical security to worry about, but if you can't control the 
physical security of the computer, and the physical filesystem is accessible 
from single user mode anyway, it's a moot point; anyone who can comprimise 
your physical security will be able to defeat the VFS.

>
> And if the real underlying filesystem is only available in single-user
> mode, maybe even the damage that could be done should that attacker gain
> root access, could be mitigated.  I kind of doubt it, but who knows?
> The thing is, VFS is a step towards this, even if it doesn't get there;
> whereas varsyms are a step to the side, albeit one that would come in
> handy for lots of things.
>
My point is that varsyms are more than just "handy for lots of things" they 
actually solve real problems (like how to have a ports system that uses one 
compiler, while the system is restricted to a different version, without 
trampling each other's files) in a simple and elegant way.  VFS is designed 
to, and does a good job, of solving other problems--certainly very real 
problems to those that have them, but different problems, nonetheless.

> Also - I'm trying to avoid making a case against them on that level.
> Good or bad, variant symlinks would be just plain *unnecessary* in the
> presence of a well-done VFS.  At best, to me, they're scaffolding to
> help get us to that point, and as such, we needn't be perfectionists
> about them.

I think that remains to be seen.  In my experience, any such layer involves a 
great deal of setting things up, configuring, tweaking etc.  Even if the 
underlying code is sound, there is still a lot of individual configuration 
that needs to be done; take jail, just as an example, one of the things which 
VFS purports to 'solve.'  For the majority of users, I don't think that level 
of complexity is necessary.  I agree wholehartedly that for those users who 
*DO* want it (and I would suggest that it is a not-so-insignificant 
miniority) we should provide it.  I *don't* think that any core functionality 
of the OS should be based on it.  Remeber the problems with 'stacker' or 
'doublespace' or 'drivespace' or whatever they are calling it these days?  I 
believe that the ports/packaging system is part of the core functionality of 
an OS.


 mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/fufoY30jZzkECLcRAg5oAKDDqHpF5biJA22fRve7Gt0bPQeWgQCfXYOf
MlSluOkkzqhRPqdA9eHXg34=
=hkgn
-----END PGP SIGNATURE-----







More information about the Kernel mailing list