From owner-freebsd-hackers  Fri Nov 15 08:03:22 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA23483
          for hackers-outgoing; Fri, 15 Nov 1996 08:03:22 -0800 (PST)
Received: from sumatra.americantv.com (sumatra.americantv.com [199.184.181.250])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA23456;
          Fri, 15 Nov 1996 08:03:10 -0800 (PST)
Received: from right.PCS (right.pcs. [148.105.10.31]) by sumatra.americantv.com (8.7.6/8.7.3) with ESMTP id JAA11157; Fri, 15 Nov 1996 09:22:57 -0600 (CST)
Received: (jlemon@localhost) by right.PCS (8.6.13/8.6.4) id QAA05023; Fri, 15 Nov 1996 16:01:11 GMT
Message-Id: <199611151601.QAA05023@right.PCS>
Date: Fri, 15 Nov 1996 10:01:10 -0600
From: jlemon@americantv.com (Jonathan Lemon)
To: dyson@freebsd.org
Cc: rob@xs1.simplex.nl (Rob Simons), hackers@freebsd.org
Subject: Re: Q: system specific binaries
References: <199611151329.OAA00724@xs1.simplex.nl> <199611151543.KAA01199@dyson.iquest.net>
X-Mailer: Mutt 0.48.1
Mime-Version: 1.0
In-Reply-To: <199611151543.KAA01199@dyson.iquest.net>; from John S. Dyson on Nov 15, 1996 10:43:10 -0500
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> > Does anyone have any experience with customising FreeBSD so that only
> > binaries which are compiled on a system itself will actually run on
> > that system ?
> > So the local compiler has to give a key to each binary when it's 
> > compiled, and when executed there'd be a check for that key. ?
> > That way only people who have access to the compiler may generate 
> > binaries, and no 'foreign' binaries will be executed by the syetem.
> > 
> > If this is too easy to break, is there perhaps a way to specify
> > from which directories binaries may be executed ?
> > 
> Perhaps, formulate a system whereby the flags bits on a file are used
> in some way...  Note that I am not talking about the "protection" bits,
> but there is another group of interesting things called flags bits that
> can be placed only under the control of the kernel.  Just a thought.
> 
> (Perhaps an "annoint" command???)

Now, why does this remind me of nettrek's "blessed" binaries?
--
Jonathan