From owner-freebsd-stable@FreeBSD.ORG Thu Apr 3 11:23:53 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91519106566C for ; Thu, 3 Apr 2008 11:23:53 +0000 (UTC) (envelope-from davids@webmaster.com) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.169]) by mx1.freebsd.org (Postfix) with ESMTP id 7AD568FC0C for ; Thu, 3 Apr 2008 11:23:53 +0000 (UTC) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v8.1.3.R) with ESMTP id md50001982473.msg for ; Thu, 03 Apr 2008 04:14:03 -0700 From: "David Schwartz" To: "Forrest Aldrich" Date: Thu, 3 Apr 2008 04:12:27 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 In-Reply-To: <20080402203859.GB80314@slackbox.xs4all.nl> Importance: Normal X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Thu, 03 Apr 2008 04:14:03 -0700 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-stable@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Thu, 03 Apr 2008 04:14:05 -0700 Cc: freebsd-stable@freebsd.org Subject: RE: Digitally Signed Binaries w/ Kernel support, etc. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: davids@webmaster.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 11:23:53 -0000 > On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote: > > Does FreeBSD have support for digitally signed binary checking, > > similar to > > what Linux has with bsign and DigSig, where system binaries are > > signed and > > this signature is verified before being run in the kernel? > If an attacker can modify binaries, he already has root privileges. In > that case, what will stop him from creating a new pgp key and re-sign > his doctered binaries? The fact that there would be no signed executable that would give him that functionality. In order to tell the kernel to accept his key, he would need some application that did that, and such an application would not be signed. He would face a chicken and egg problem. To make a signed executable to set his key to be accepted, he would need his key to already be accepted. However, I agree that this is kind of pointless. It's like adding extra locks to the back door when the front door is just as open. Once someone gets root, odds are they can exploit an executable -- even if it's signed -- using the same process they used to get root in the first place. Do you have a signed 'rm' on the system? A person with root can do an awful lot of damage with 'rm'. Without 'rm', the system isn't very useful. You can truncate any non-immutable file with just a shell. A machine isn't very useful without a shell. And if the goal is to protect against people who have root (whether by accident or malice), you really didn't want to give them root. DS