On Fri, Apr 04, 2008 at 10:58:40AM +0200, Ivan Voras wrote: > >> Signing binaries could be naturally tied in with securelevel, where some > >> securelevel (1?) would mean kernel no longer accepts new keys. > > > > If you set the system immutable flag on the binaries, you cannot modify > > them at > > all at securelevel >0. Signing the binaries would be pointless in that case. > > I think these are separate things. Modifying binaries is separate from > introducing new binaries. SCHG would prevent the former, but not the latter.
If you set the SCHG flag on the directories in $PATH, you can't put anything new there as well. > Of course, with the popularity of various scripting languages it's not > as useful as it could be on the first thought. If an intruder want to do real damage with a script, he pretty much has to be root. In which case you're already fscked. Or the script must contain a viable local root exploit, which amounts to the same thing. As usual, there is a balance between security and usability. Where that balance lies depends on the situation. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
pgplXDCPrEXWR.pgp
Description: PGP signature
