From: Michael Tokarev <mjt@tls.msk.ru>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Arjan van de Ven <arjan@infradead.org>,
Ulrich Drepper <drepper@gmail.com>,
Axelle Apvrille <axelle_apvrille@yahoo.fr>,
Nix <nix@esperi.org.uk>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
disec-devel@lists.sourceforge.net
Subject: Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries
Date: Sat, 29 Apr 2006 00:48:27 +0400 [thread overview]
Message-ID: <44527F9B.6040500@tls.msk.ru> (raw)
In-Reply-To: <20060428162904.GB31473@sergelap.austin.ibm.com>
Serge E. Hallyn wrote:
> Quoting Arjan van de Ven (arjan@infradead.org):
>>> A one time effort to write it *and sign it*.
>> you don't sign nor need to sign perl or bash scripts. Why would a loader
>> be written in ELF itself? There's absolutely no reason for that.
>
> Yup, that's an unfortunate shortcoming. We'd been wanting to re-post to
> lkml for a long time to get ideas to fix that.
>
> I had an extension to digsig earlier which enabled signing shellscripts
> using xattrs (just because it was a trivial task), but that's clearly
> insufficient as it would catch "./myscript.pl" but not "perl
> myscript.pl".
Another thing to do is to modify perl to verify signatures of
the scripts it's executing, sign *that* perl binary, and disallow
executing of unsigned perl scripts...
/mjt, who's joking only partially.
next prev parent reply other threads:[~2006-04-28 20:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-24 16:27 [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries Makan Pourzandi (QB/EMC)
2006-04-24 16:47 ` Arjan van de Ven
2006-04-24 20:32 ` Nix
2006-04-24 20:45 ` Arjan van de Ven
2006-04-24 23:35 ` Nix
2006-04-25 6:30 ` Arjan van de Ven
2006-04-25 7:16 ` Nix
2006-04-25 16:11 ` Axelle Apvrille
2006-04-25 16:56 ` Arjan van de Ven
2006-04-25 18:57 ` Nix
2006-04-25 19:37 ` Arjan van de Ven
2006-04-25 19:52 ` Valdis.Kletnieks
2006-04-26 4:43 ` Kyle Moffett
2006-04-25 19:01 ` Chris Boot
2006-04-25 19:09 ` Valdis.Kletnieks
2006-04-25 20:00 ` Serge E. Hallyn
2006-04-28 15:33 ` Ulrich Drepper
2006-04-28 16:09 ` Serge E. Hallyn
2006-04-28 16:11 ` Arjan van de Ven
2006-04-28 16:29 ` Serge E. Hallyn
2006-04-28 17:53 ` Arjan van de Ven
2006-04-28 20:48 ` Michael Tokarev [this message]
2006-04-28 18:16 ` Christoph Hellwig
2006-04-28 19:22 ` Serge E. Hallyn
2006-04-25 13:00 ` Geert Uytterhoeven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44527F9B.6040500@tls.msk.ru \
--to=mjt@tls.msk.ru \
--cc=arjan@infradead.org \
--cc=axelle_apvrille@yahoo.fr \
--cc=disec-devel@lists.sourceforge.net \
--cc=drepper@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nix@esperi.org.uk \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox