Subject: Re: verified executable kernel modification committed
To: matthew green <>
From: Andrew Brown <>
List: tech-security
Date: 10/29/2002 10:04:42
>   Q: So, how do you stop the list being updated later?
>   A: by using securelevel - the fingerprints can only be loaded at
>      securelevel == 0.  The full effect of the verified exec is in
>      effect at securelevel > 2 (i.e. 3 onwards), at this point warnings
>      about invalid/missing fingerprints become fatal errors, before this
>      they were merely warnings.
>i assume that is "securelevel <= 0" ?

prolly, but the "securelevel > 2" bit gives me pause.  why not just
"securelevel > 1"?
>   Q: Doesn't chflags(1) do all this already?
>   A: Not really.  It can be used to do some of the work but there are
>      some things it cannot do like prevent a file from being executed
>      nor can it give any confidence that what you are executing has not
>      been tampered with.
>how does it not give you confidence it has not been tampered with?

because now tampering with the underlying filesytem is evident,
whereas chflags doesn't protect you against that?

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."