Subject: Re: verified executable kernel modification committed
To: Chris Jepeway <>
From: Perry E. Metzger <>
List: tech-security
Date: 10/31/2002 10:22:23
Chris Jepeway <> writes:
> > to stop someone else who may choose to have their file executable on
> > your machine something like a DDoS zombie.
> OK, so verified execs stop rootkits from running?
> How can chflags do that?

If you can't replace /bin/sh or whatever with the executable of your
choosing because it is marked immutable, well, then it doesn't matter
if you verify the MAC on it.

BTW, the things we're doing that are having the most impact on remote
security flaws are systrace, unprivileged execution in chrooted boxes
(for programs like ntpd and named and postfix), and shortly,
non-executable stacks. The latter will also stop many local
exploits. Getting rid of suid almost entirely with the use of tricks
like systrace should also help eventually.

Perry E. Metzger