From: Willy Tarreau <willy@w.ods.org>
To: viro@parcelfarce.linux.theplanet.co.uk
Cc: Makan Pourzandi <Makan.Pourzandi@ericsson.ca>,
Pavel Machek <pavel@suse.cz>,
linux-kernel@vger.kernel.org,
Axelle Apvrille <Axelle.Apvrille@ericsson.ca>,
Vincent Roy <vincent.roy@ericsson.ca>,
David Gordon <davidgordonca@yahoo.ca>,
socrate@infoiasi.ro
Subject: Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries
Date: Wed, 1 Oct 2003 23:51:20 +0200 [thread overview]
Message-ID: <20031001215120.GA16761@alpha.home.local> (raw)
In-Reply-To: <20031001182440.GV7665@parcelfarce.linux.theplanet.co.uk>
Hi Al,
On Wed, Oct 01, 2003 at 07:24:40PM +0100, viro@parcelfarce.linux.theplanet.co.uk wrote:
> On Wed, Oct 01, 2003 at 02:14:31PM -0400, Makan Pourzandi wrote:
> > Hi Viro,
> >
> > Obviously, I failed to show that the main functionality of digsig is to
> > avoid the execution of __normal__ rootkits, Trojan horses and other
> > malicious binaries on your system.
>
> <shrug> so in a month rootkits get updated and we are back to square 1,
> with additional mess from patch...
I think that's perfectly true, sadly. It may even become the subject of the
phrack article, next to the collection of insmod_without_module_support, etc...
The only useful feature it would provide would be to secure a system against
people who tamper on the media itself, which is fairly trivial on nfsroot. It
may be interesting to ensure that a server farm which all mount their root from
a central server may not be tricked into executing undesired code injected into
the central NFS server.
The same would be true for removable media such as smartmedia, on PDAs or
specialized systems.
Just a few thoughts,
Willy
next prev parent reply other threads:[~2003-10-01 21:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-25 19:19 [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries Makan Pourzandi
2003-10-01 10:26 ` Pavel Machek
2003-10-01 13:33 ` Makan Pourzandi
2003-10-01 14:17 ` viro
2003-10-01 18:14 ` Makan Pourzandi
2003-10-01 18:24 ` viro
2003-10-01 21:51 ` Willy Tarreau [this message]
2003-10-01 21:55 ` Radu Filip
2003-10-01 22:05 ` Pavel Machek
2003-10-01 23:36 ` Larry McVoy
2003-10-02 0:53 ` jlnance
2003-10-02 0:17 ` [ANNOUNCE] DigSig 0.2: kernel module for digital signatureverification " Edgar Toernig
2003-10-02 2:04 ` David Gordon
2003-10-02 2:42 ` [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification " Valdis.Kletnieks
2003-10-02 18:36 ` [ANNOUNCE] DigSig 0.2: kernel module for digital signature ve rification " Makan Pourzandi
2003-10-01 14:05 ` [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification " Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031001215120.GA16761@alpha.home.local \
--to=willy@w.ods.org \
--cc=Axelle.Apvrille@ericsson.ca \
--cc=Makan.Pourzandi@ericsson.ca \
--cc=davidgordonca@yahoo.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@suse.cz \
--cc=socrate@infoiasi.ro \
--cc=vincent.roy@ericsson.ca \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox