Digitally Signed Binaries w/ Kernel support, etc.
rsmith at xs4all.nl
Fri Apr 4 16:55:43 UTC 2008
On Fri, Apr 04, 2008 at 10:58:40AM +0200, Ivan Voras wrote:
> >> Signing binaries could be naturally tied in with securelevel, where some
> >> securelevel (1?) would mean kernel no longer accepts new keys.
> > If you set the system immutable flag on the binaries, you cannot modify them at
> > all at securelevel >0. Signing the binaries would be pointless in that case.
> I think these are separate things. Modifying binaries is separate from
> introducing new binaries. SCHG would prevent the former, but not the latter.
If you set the SCHG flag on the directories in $PATH, you can't put
anything new there as well.
> Of course, with the popularity of various scripting languages it's not
> as useful as it could be on the first thought.
If an intruder want to do real damage with a script, he pretty much has to be
root. In which case you're already fscked. Or the script must contain a
viable local root exploit, which amounts to the same thing.
As usual, there is a balance between security and usability. Where that
balance lies depends on the situation.
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080404/40aa44e9/attachment.pgp
More information about the freebsd-stable