This is a fair point. Especially, given the fact that /proc/cmdline is so
unrestricted.
> to somehow give a secret key to the kernel. The problem is determining an
> appropriate way of doing it. The only method I've come up with is for the
> sys-admin to type in a password at boot time. This will work, but will require
> that the administrator be present when the machine is booting. I know that
> this will work well for many systems (single user workstations), but I doubt
> that it'll work for the systems that actually require this level of security.
It is not clear to me that there are any secure methods of supplying such a
key, besides the sys-admin being physically present at the console (key in
hand). If an attacker can gain physical access to the machine then, in
principle, he is able to read any information (which includes the detailed
mechanism used to automatically generate the key) within it.
I certainly like to be proved wrong on this...
> However if you think that the above is worth doing then I encourage you to
> write the code and contribute it. You can either contribute it to the Ext2
> project (I don't know whether it fits in with the plans of the people who
> maintain that FS) now, contribute it to my project later (currently we haven't
> started coding so it's too early for such things), or do both.
At this stage, I'm interested mostly in peoples' comments. I'm becoming
fascinated by what it would take to make Linux conform to Orange-Book Class
B security. This modification to the filesystem would be relevant to
getting it over C1 (sub-paragraph 2.1.3.1.1!)
Regards
Andrew
--
Linux-PAM: http://parc.power.net/morgan/Linux-PAM/index.html
libpwdb: http://parc.power.net/morgan/libpwdb/index.html
[ For those that prefer FTP --- ftp://ftp.lalug.org/morgan ]