Subject: Re: verified executable kernel modification committed
To: None <firstname.lastname@example.org, email@example.com>
From: Brett Lymn <firstname.lastname@example.org>
Date: 10/30/2002 14:08:10
On Tue, Oct 29, 2002 at 10:19:55PM -0500, Greg A. Woods wrote:
> Assuming the integrity of the files is verified immediately after
> setting chflags,
and assuming nobody ever changes it.... excuse me for being paranoid
and not trusting things being left as I left them.
> then verifying their integrity over and over again on
> every exec really doesn't increase the real security of the system at
> all (all other things being equal).
It does not get verified over and over again. This is an important
point, it is the reason why the system impact so low - the
verification gets done the first time the exec is done, and after that
iff the vnode has been put back into the free pool and reused.
> So, in many case it would seem "smarter" to do the install, set chflags
> to make the files immutable, and then just verify the integrity of the
> files once, all while still in in single user mode, and be done with it.
because it will not stop random executables being run (this includes
putting a trojaned binary in a PATH). It does not give you the
ability of running shell scripts but prevent running the shell
interpreter itself directly. Basically, this gives you a _visible_
means of verifying the trusted computing base - if there is something
wrong it will be logged, chflags cannot do that for you. Also, this
is done not only for binaries but scripts and for other arbitrary