Date: Mon, 18 Nov 1996 18:47:10 +0100 (MEZ) From: "Hr.Ladavac" <lada@ws2301.gud.siemens.co.at> To: msmith@atrad.adelaide.edu.au (Michael Smith) Cc: dyson@freebsd.org, rob@xs1.simplex.nl, hackers@freebsd.org Subject: Re: Q: system specific binaries Message-ID: <199611181747.AA152559230@ws2301.gud.siemens.co.at> In-Reply-To: <199611160457.PAA10718@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Nov 16, 96 03:27:07 pm
next in thread | previous in thread | raw e-mail | index | archive | help
E-mail message from Michael Smith contained: > John S. Dyson stands accused of saying: > > > > > > If this is too easy to break, is there perhaps a way to specify > > > from which directories binaries may be executed ? > > look at /sys/kern/imgact* for starters. Depending on what you're actually > worried about, you might want to look at the source for the shells, > perl, tcl, remove the debugger (gdb) etc. > > > Perhaps, formulate a system whereby the flags bits on a file are used > > in some way... Note that I am not talking about the "protection" bits, > > but there is another group of interesting things called flags bits that > > can be placed only under the control of the kernel. Just a thought. > > > > (Perhaps an "annoint" command???) > > A "secure" flag, only settable by root and cleared when the file is > written to might be vaguely useful. It might give a false sense of > confidence though. A "secure" flag only settable in a standalone mode, combined perhaps with "immutable" flag might be better. No, I don't have the patches (yet :) /Marino > > > John > > -- > ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ > ]] Genesis Software genesis@gsoft.com.au [[ > ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ > ]] realtime instrument control. (ph) +61-8-8267-3493 [[ > ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611181747.AA152559230>