Re: execution policy for shells

To: tech-security%NetBSD.org@localhost
Subject: Re: execution policy for shells
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Thu, 23 Sep 2010 14:56:07 -0400

On Thu, Sep 23, 2010 at 12:17:20PM -0400, Jan Schaumann wrote:
> > 
> > actually, veriexec can be more subtle than that.  You can bless
> > certain shell scripts but deny the direct invocation of the shell
> > interpreter.
> 
> But that requires me explicitly stating which scripts are allowed to
> run, right?  What I'm looking for is a way to allow any arbitrary script
> to be executed so long as it's signed by an entity I previously
> identified.  If no signature is found, the signature does not verify or
> is not by the entity I declared, then execution is refused.

So you need the shell to be the thing whose fingerprint is known to the
kernel, and the interpreted scripts to be known to the shell.

Thor

Follow-Ups:
- Re: execution policy for shells
  - From: Jan Schaumann

References:
- execution policy for shells
  - From: Jan Schaumann
- Re: execution policy for shells
  - From: Thor Lancelot Simon
- Re: execution policy for shells
  - From: Brett Lymn
- Re: execution policy for shells
  - From: Jan Schaumann

Prev by Date: Re: execution policy for shells
Next by Date: Re: execution policy for shells
Previous by Thread: Re: execution policy for shells
Next by Thread: Re: execution policy for shells
Indexes:

Home | Main Index | Thread Index | Old Index