From owner-freebsd-stable@FreeBSD.ORG Thu Apr 10 14:13:36 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 753DE106566C for ; Thu, 10 Apr 2008 14:13:36 +0000 (UTC) (envelope-from peter@wemm.org) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 38E7B8FC1B for ; Thu, 10 Apr 2008 14:13:36 +0000 (UTC) (envelope-from peter@wemm.org) Received: by an-out-0708.google.com with SMTP id c14so2541anc.13 for ; Thu, 10 Apr 2008 07:13:35 -0700 (PDT) Received: by 10.100.45.5 with SMTP id s5mr2926832ans.13.1207836815383; Thu, 10 Apr 2008 07:13:35 -0700 (PDT) Received: by 10.100.8.6 with HTTP; Thu, 10 Apr 2008 07:13:35 -0700 (PDT) Message-ID: Date: Thu, 10 Apr 2008 07:13:35 -0700 From: "Peter Wemm" To: "Ivan Voras" , freebsd-stable@freebsd.org In-Reply-To: <20080404165541.GA675@slackbox.xs4all.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47F3DA07.4020209@forrie.com> <20080402203859.GB80314@slackbox.xs4all.nl> <20080403164108.GA12190@slackbox.xs4all.nl> <20080404165541.GA675@slackbox.xs4all.nl> Cc: Subject: Re: Digitally Signed Binaries w/ Kernel support, etc. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 14:13:36 -0000 On Fri, Apr 4, 2008 at 9:55 AM, Roland Smith wrote: > On Fri, Apr 04, 2008 at 10:58:40AM +0200, Ivan Voras wrote: > > >> Signing binaries could be naturally tied in with securelevel, where some > > >> securelevel (1?) would mean kernel no longer accepts new keys. > > > > > > If you set the system immutable flag on the binaries, you cannot modify them at > > > all at securelevel >0. Signing the binaries would be pointless in that case. > > > > I think these are separate things. Modifying binaries is separate from > > introducing new binaries. SCHG would prevent the former, but not the latter. > > If you set the SCHG flag on the directories in $PATH, you can't put > anything new there as well. There's nothing magical about $PATH. A person could put a malicious binary in /tmp or $HOME and run it with /tmp/crashme or whatever. Sure, you could set SCHG on every single writeable directory on the system to prevent any files being created. MNT_NOEXEC might be an option. The existence of script languages or even scriptable binaries does diminish the strength of a lockdown, but it depends on what you're trying to achieve. eg: If you're trying to prevent your users from downloading a self-built irc client or bot and running it, then yes, requiring signed binaries would be useful. In any case, there are legitimate uses for signed binaries. But I'm not volunteering to do it. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5 "If Java had true garbage collection, most programs would delete themselves upon execution." -- Robert Sewell **WANTED TO BUY: Garmin Streetpilot 2650 or 2660. Not later model! **