From owner-freebsd-stable@FreeBSD.ORG Wed Apr 2 20:55:10 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F4F7106566B for ; Wed, 2 Apr 2008 20:55:10 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr6.xs4all.nl (smtp-vbr6.xs4all.nl [194.109.24.26]) by mx1.freebsd.org (Postfix) with ESMTP id D2AFF8FC16 for ; Wed, 2 Apr 2008 20:55:09 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr6.xs4all.nl (8.13.8/8.13.8) with ESMTP id m32Kcx8m060033; Wed, 2 Apr 2008 22:38:59 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 37590B8FE; Wed, 2 Apr 2008 22:38:59 +0200 (CEST) Date: Wed, 2 Apr 2008 22:38:59 +0200 From: Roland Smith To: Forrest Aldrich Message-ID: <20080402203859.GB80314@slackbox.xs4all.nl> Mail-Followup-To: Forrest Aldrich , freebsd-stable@freebsd.org References: <47F3DA07.4020209@forrie.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="St7VIuEGZ6dlpu13" Content-Disposition: inline In-Reply-To: <47F3DA07.4020209@forrie.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.17 (2007-11-01) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-stable@freebsd.org Subject: Re: Digitally Signed Binaries w/ Kernel support, etc. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 20:55:10 -0000 --St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote: > Does FreeBSD have support for digitally signed binary checking, similar t= o=20 > what Linux has with bsign and DigSig, where system binaries are signed an= d=20 > this signature is verified before being run in the kernel? If an attacker can modify binaries, he already has root privileges. In that case, what will stop him from creating a new pgp key and re-sign his doctered binaries? > This would be very useful to have to further tighen-down the system. As an alternative, on FreeBSD you can set the system immutable flag on binaries (see chflags(1)), and set the securelevel > 0. See init(8). Once this is set, not even root can undo this. You have to reboot to reset the securelevel to -1. The only weakness is that the securelevel is set quite late in the boot process. An attacker could compromise the system if he gets access before the securelevel is set. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --St7VIuEGZ6dlpu13 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) iEYEARECAAYFAkfz7uMACgkQEnfvsMMhpyW8UgCaAorua/3SI0KpmLNHX/fD9Wv8 TzMAn2H2BXBL6W0rIgUGvDMUYFaGP+TK =FiqD -----END PGP SIGNATURE----- --St7VIuEGZ6dlpu13--