>This is a fair point. Especially, given the fact that /proc/cmdline is so
>unrestricted.
/proc/cmdline is not the issue IMHO. I could hack /proc/cmdline out of
there in 5 minutes, or the sys-admin could leave /proc unmounted (or mount it
as ~root/proc and have /proc be a symlink). The issue is that the kernel gets
a command line from somewhere and the hacker could get it from the same place.
If the boot loader can get the kernel command line from a hard drive or floppy
drive then a hacker with physical access to the machine can get it in the same
fashion. Let's fact it, boot loaders are pretty stupid but the same can't be
said for all potential hackers!
>> to somehow give a secret key to the kernel. The problem is determining an
>> appropriate way of doing it. The only method I've come up with is for the
>> sys-admin to type in a password at boot time. This will work, but will require
>> that the administrator be present when the machine is booting. I know that
>> this will work well for many systems (single user workstations), but I doubt
>> that it'll work for the systems that actually require this level of security.
>It is not clear to me that there are any secure methods of supplying such a
>key, besides the sys-admin being physically present at the console (key in
>hand). If an attacker can gain physical access to the machine then, in
>principle, he is able to read any information (which includes the detailed
>mechanism used to automatically generate the key) within it.
That's the same issue that I've been contemplating for a couple of years.
>I certainly like to be proved wrong on this...
Same here.
>> However if you think that the above is worth doing then I encourage you to
>> write the code and contribute it. You can either contribute it to the Ext2
>> project (I don't know whether it fits in with the plans of the people who
>> maintain that FS) now, contribute it to my project later (currently we haven't
>> started coding so it's too early for such things), or do both.
>At this stage, I'm interested mostly in peoples' comments. I'm becoming
>fascinated by what it would take to make Linux conform to Orange-Book Class B
>security. This modification to the filesystem would be relevant to getting it
>over C1 (sub-paragraph 2.1.3.1.1!)
Sounds great!
If there is a good copy of these security standards on the net could you
please give me the URL? Otherwise could you please provide a brief summary of
the important points?
Russell Coker