From: Michael Tokarev <mjt@tls.msk.ru>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Arjan van de Ven <arjan@infradead.org>,
Ulrich Drepper <drepper@gmail.com>,
Axelle Apvrille <axelle_apvrille@yahoo.fr>,
Nix <nix@esperi.org.uk>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
disec-devel@lists.sourceforge.net
Subject: Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
Date: Sat, 29 Apr 2006 00:48:27 +0400 [thread overview]
Message-ID: <44527F9B.6040500@tls.msk.ru> (raw)
In-Reply-To: <20060428162904.GB31473@sergelap.austin.ibm.com>
Serge E. Hallyn wrote:
> Quoting Arjan van de Ven (arjan@infradead.org):
>>> A one time effort to write it *and sign it*.
>> you don't sign nor need to sign perl or bash scripts. Why would a loader
>> be written in ELF itself? There's absolutely no reason for that.
>
> Yup, that's an unfortunate shortcoming. We'd been wanting to re-post to
> lkml for a long time to get ideas to fix that.
>
> I had an extension to digsig earlier which enabled signing shellscripts
> using xattrs (just because it was a trivial task), but that's clearly
> insufficient as it would catch "./myscript.pl" but not "perl
> myscript.pl".
Another thing to do is to modify perl to verify signatures of
the scripts it's executing, sign *that* perl binary, and disallow
executing of unsigned perl scripts...
/mjt, who's joking only partially.
next prev parent reply other threads:[~2006-04-28 20:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-24 16:27 [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries Makan Pourzandi (QB/EMC)
2006-04-24 16:47 ` Arjan van de Ven
2006-04-24 20:32 ` Nix
2006-04-24 20:45 ` Arjan van de Ven
2006-04-24 23:35 ` Nix
2006-04-25 6:30 ` Arjan van de Ven
2006-04-25 7:16 ` Nix
2006-04-25 16:11 ` Axelle Apvrille
2006-04-25 16:56 ` Arjan van de Ven
2006-04-25 18:57 ` Nix
2006-04-25 19:37 ` Arjan van de Ven
2006-04-25 19:52 ` Valdis.Kletnieks
2006-04-26 4:43 ` Kyle Moffett
2006-04-25 19:01 ` Chris Boot
2006-04-25 19:09 ` Valdis.Kletnieks
2006-04-25 20:00 ` Serge E. Hallyn
2006-04-28 15:33 ` Ulrich Drepper
2006-04-28 16:09 ` Serge E. Hallyn
2006-04-28 16:11 ` Arjan van de Ven
2006-04-28 16:29 ` Serge E. Hallyn
2006-04-28 17:53 ` Arjan van de Ven
2006-04-28 20:48 ` Michael Tokarev [this message]
2006-04-28 18:16 ` Christoph Hellwig
2006-04-28 19:22 ` Serge E. Hallyn
2006-04-25 13:00 ` Geert Uytterhoeven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44527F9B.6040500@tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=arjan@infradead.org \
--cc=axelle_apvrille@yahoo.fr \
--cc=disec-devel@lists.sourceforge.net \
--cc=drepper@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nix@esperi.org.uk \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.