Subject: re: verified executable kernel modification committed
To: Brett Lymn <firstname.lastname@example.org>
From: matthew green <email@example.com>
Date: 10/30/2002 01:49:22
Q: So, how do you stop the list being updated later?
A: by using securelevel - the fingerprints can only be loaded at
securelevel == 0. The full effect of the verified exec is in
effect at securelevel > 2 (i.e. 3 onwards), at this point warnings
about invalid/missing fingerprints become fatal errors, before this
they were merely warnings.
i assume that is "securelevel <= 0" ?
Q: Doesn't chflags(1) do all this already?
A: Not really. It can be used to do some of the work but there are
some things it cannot do like prevent a file from being executed
nor can it give any confidence that what you are executing has not
been tampered with.
how does it not give you confidence it has not been tampered with?