LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Once again: icing is pointless without the cake...

Once again: icing is pointless without the cake...

Posted Jul 29, 2011 5:32 UTC (Fri) by Kissaki (subscriber, #61848)
In reply to: Once again: icing is pointless without the cake... by khim
Parent article: Signs of life from GNU Hurd

It sounds to me like you're comparing this apple to an orange. Hurd has some architectural differences that have little practical impact in the current implementation, but bode well for the future.

If you want to use Hurd as a system from which to video chat with your friends tomorrow, well, that might be a challenge. Maybe you should use Linux instead. If you are interested in seeing what the Hurd concepts are about or might bring down the road, you might want to play in this sandbox.

As for why you would want to run a VPN client as other than root, I hope you're kidding. Two trivial answers occur off the top of my head. The first one is that a non-root VPN client means VPN client bugs don't automatically threaten system-compromise. The other is that as a normal user I can take advantage of VPN technology without having to bug the sysadmin and get him or her involved in the key exchange.

For me, the security implications and practical benefits of the differences are exciting. In my mind Hurd is a nice step towards capability based security (instead of ACL based). I hope my theory bears out, but even if it doesn't the modularity is much closer to the unix philosophy as I learned it (small tools that do one thing well) than the monolithic kernel could ever be.

(Log in to post comments)

Once again: icing is pointless without the cake...

Posted Aug 1, 2011 14:10 UTC (Mon) by nix (subscriber, #2304) [Link]

The third reason is that different people on the same machine can then run *different VPNs*. There's no hope of doing that on Linux as it stands, even with the global routing table, because the per-user iptables rules run in POSTROUTING so cannot affect packet destinations. But having to change the global routing table for something completely per-user and not security-related is a kludge anyway. A userspace TCP stack is definitely the right way here. (Sure, it may not be so high performance, but if you're using a VPN performance isn't going to be at the top of your list anyway.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds