Date: Sun, 2 Sep 2007 13:47:19 -0400 From: Mike Meyer <mwm-keyword-freebsdhackers2.e313df@mired.org> To: freebsd-hackers@freebsd.org Subject: Re: Exclusive binary files Message-ID: <20070902134719.271834f5@bhuda.mired.org> In-Reply-To: <20070902104508.GB19678@britannica.bec.de> References: <45910cf20709011027o546363e2h4f5646b15e0f84a2@mail.gmail.com> <20070901183020.6a098955@bhuda.mired.org> <20070902104508.GB19678@britannica.bec.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Sep 2007 12:45:09 +0200 Joerg Sonnenberger <joerg@britannica.bec.de> wrote: > On Sat, Sep 01, 2007 at 06:30:20PM -0400, Mike Meyer wrote: > > On Sat, 1 Sep 2007 14:27:42 -0300 "Klaus Schneider" <klausps@gmail.com> wrote: > > > Well, anybody know a way to make the FreeBSD run just binaries that I have > > > compiled? > > In general, it's impossible. There's no way the system can know that > > you compiled a binary. There are a number of things you could do with > > a custom kernel and toolchain to indicate that you compiled the binary > > (like Peter's changing of ELF OSABI), but that's just security through > > obscurity. If someone figures out those changes and replicates them, > > you lose. > You mean using cryptographic hashes to ensure that binaries match those > you compiled is impossible? Something like NetBSD's veriexec? Yes, that's possible, but "don't execute binaries I don't tell you are ok" is not (quite) the same thing as "don't execute binaries I compiled" or "don't execute binaries I didn't sign" or "don't execute ....". There are a number of things possible that are close to what he asked for, with different strengths and weaknesses. Valid responses include listing all of them, or guessing at his requirements and providing the best solution for the guess. However, I suspect that all those solutions are a lot more painful than solving whatever issues keep him from mounting his user partition noexec, so I chose another valid response, and asked for more information about his requirements. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070902134719.271834f5>