Re: [ANNOUNCE] Release Digsig 1.5: kernel module for run-timeauthentication of binaries

[Serge E. Hallyn]

Quoting Arjan van de Ven (arjan@xxxxxxxxxxxxx):
> 
> > A one time effort to write it *and sign it*.
> you don't sign nor need to sign perl or bash scripts. Why would a loader
> be written in ELF itself? There's absolutely no reason for that.

Yup, that's an unfortunate shortcoming.  We'd been wanting to re-post to
lkml for a long time to get ideas to fix that.

I had an extension to digsig earlier which enabled signing shellscripts
using xattrs (just because it was a trivial task), but that's clearly
insufficient as it would catch "./myscript.pl" but not "perl
myscript.pl".

For now obviously the only thing to do is make sure that sensitive
accounts (i.e. accounts not severely restricted through selinux) can't
use anything but, say, rsh.  I assume this is what previous posters
using digsig do?

Anyone have any better ideas for properly handling shellscripts?

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/