On Sun, 2 Sep 2007 12:45:09 +0200 Joerg Sonnenberger <[EMAIL PROTECTED]> wrote:
> On Sat, Sep 01, 2007 at 06:30:20PM -0400, Mike Meyer wrote:
> > On Sat, 1 Sep 2007 14:27:42 -0300 "Klaus Schneider" <[EMAIL PROTECTED]>
> > wrote:
> > > Well, anybody know a way to make the FreeBSD run just binaries that I have
> > > compiled?
> > In general, it's impossible. There's no way the system can know that
> > you compiled a binary. There are a number of things you could do with
> > a custom kernel and toolchain to indicate that you compiled the binary
> > (like Peter's changing of ELF OSABI), but that's just security through
> > obscurity. If someone figures out those changes and replicates them,
> > you lose.
> You mean using cryptographic hashes to ensure that binaries match those
> you compiled is impossible? Something like NetBSD's veriexec?
Yes, that's possible, but "don't execute binaries I don't tell you are
ok" is not (quite) the same thing as "don't execute binaries I
compiled" or "don't execute binaries I didn't sign" or "don't execute
....". There are a number of things possible that are close to what he
asked for, with different strengths and weaknesses. Valid responses
include listing all of them, or guessing at his requirements and
providing the best solution for the guess. However, I suspect that all
those solutions are a lot more painful than solving whatever issues
keep him from mounting his user partition noexec, so I chose another
valid response, and asked for more information about his requirements.
<mike
--
Mike Meyer <[EMAIL PROTECTED]> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
