Date: Thu, 10 Apr 2008 16:39:56 +0200 From: Kris Kennaway <kris@FreeBSD.org> To: Peter Wemm <peter@wemm.org> Cc: freebsd-stable@freebsd.org, Ivan Voras <ivoras@freebsd.org> Subject: Re: Digitally Signed Binaries w/ Kernel support, etc. Message-ID: <47FE26BC.3000305@FreeBSD.org> In-Reply-To: <e7db6d980804100713o4eec1a89s5ec755b5066e4082@mail.gmail.com> References: <47F3DA07.4020209@forrie.com> <20080402203859.GB80314@slackbox.xs4all.nl> <ft2g30$7i7$2@ger.gmane.org> <20080403164108.GA12190@slackbox.xs4all.nl> <ft4qk0$ub9$2@ger.gmane.org> <20080404165541.GA675@slackbox.xs4all.nl> <e7db6d980804100713o4eec1a89s5ec755b5066e4082@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Wemm wrote: > On Fri, Apr 4, 2008 at 9:55 AM, Roland Smith <rsmith@xs4all.nl> wrote: >> On Fri, Apr 04, 2008 at 10:58:40AM +0200, Ivan Voras wrote: >> > >> Signing binaries could be naturally tied in with securelevel, where some >> > >> securelevel (1?) would mean kernel no longer accepts new keys. >> > > >> > > If you set the system immutable flag on the binaries, you cannot modify them at >> > > all at securelevel >0. Signing the binaries would be pointless in that case. >> > >> > I think these are separate things. Modifying binaries is separate from >> > introducing new binaries. SCHG would prevent the former, but not the latter. >> >> If you set the SCHG flag on the directories in $PATH, you can't put >> anything new there as well. > > There's nothing magical about $PATH. A person could put a malicious > binary in /tmp or $HOME and run it with /tmp/crashme or whatever. > Sure, you could set SCHG on every single writeable directory on the > system to prevent any files being created. MNT_NOEXEC might be an > option. The existence of script languages or even scriptable binaries > does diminish the strength of a lockdown, but it depends on what > you're trying to achieve. eg: If you're trying to prevent your users > from downloading a self-built irc client or bot and running it, then > yes, requiring signed binaries would be useful. > > In any case, there are legitimate uses for signed binaries. But I'm > not volunteering to do it. > csjp@ had a mac_chkexec module that looks like it was never committed. http://groups.google.com/group/mailing.freebsd.hackers/msg/074eec7def84c52b Shouldn't be hard to update it. Kris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47FE26BC.3000305>