Subject: Re: verified executable kernel modification committed
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: Brett Lymn <blymn@baesystems.com.au>
List: current-users
Date: 10/30/2002 14:08:10
On Tue, Oct 29, 2002 at 10:19:55PM -0500, Greg A. Woods wrote:
> 
> Assuming the integrity of the files is verified immediately after
> setting chflags,
>

and assuming nobody ever changes it.... excuse me for being paranoid
and not trusting things being left as I left them.

> then verifying their integrity over and over again on
> every exec really doesn't increase the real security of the system at
> all (all other things being equal).
> 

It does not get verified over and over again.  This is an important
point, it is the reason why the system impact so low - the
verification gets done the first time the exec is done, and after that
iff the vnode has been put back into the free pool and reused.

> So, in many case it would seem "smarter" to do the install, set chflags
> to make the files immutable, and then just verify the integrity of the
> files once, all while still in in single user mode, and be done with it.
> 

because it will not stop random executables being run (this includes
putting a trojaned binary in a PATH).  It does not give you the
ability of running shell scripts but prevent running the shell
interpreter itself directly.  Basically, this gives you a _visible_
means of verifying the trusted computing base - if there is something
wrong it will be logged, chflags cannot do that for you.  Also, this
is done not only for binaries but scripts and for other arbitrary
files.

-- 
Brett Lymn