From owner-freebsd-hackers  Mon Aug 24 14:12:56 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA07250
          for freebsd-hackers-outgoing; Mon, 24 Aug 1998 14:12:56 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07242
          for <hackers@FreeBSD.ORG>; Mon, 24 Aug 1998 14:12:52 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id RAA25669;
	Mon, 24 Aug 1998 17:11:55 -0400 (EDT)
Date: Mon, 24 Aug 1998 17:11:55 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: David Kirchner <dpk@notreal.com>
cc: Alex <garbanzo@hooked.net>, "B. Richardson" <rabtter@aye.net>,
        hackers@FreeBSD.ORG
Subject: Re: I want to break binary compatibility.
In-Reply-To: <Pine.BSF.4.02A.9808241319280.24290-100000@notreal.com>
Message-ID: <Pine.BSF.3.96.980824171015.25644D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 24 Aug 1998, David Kirchner wrote:

> Maybe create a utility that can "bless" binaries. 'root' would only be
> able to execute blessed binaries. setuid binaries could on be run if
> blessed, etc. Same idea, but the flag could be set on a different server
> before the file is copied over.

i.e., a file system flag, or table that the kernel loads from disk.  This
sounds pretty straight-forward.

> > > However, this runs into the problem of shared libraries -- as long as
> > > LD_LIBRARY_PATH exists, the possibility of running user-specified code
> > > also exists.  This also doesn't help you if the bugs are in existing code
> > > (that is, in sperl :).
> 
> The truly paranoid could just compile everything run as root staticly.
> 
> > Yes, but one could easily hardcode LD_LIBRARY_PATH to search /usr/lib or
> > whatever first.
> > 
> > - alex
> 
> Or for the less paranoid, they could do this. :)

My favored choice would be to modify the standard dynamic link support to
check /etc/ld.conf (or a sysctl) to determine whether the system policy
currently allowed dynamic linking or not, and if so, whether user-defined
paths were allowed.  This, in combination with the bless-support would
work pretty well.

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message