On Wed, 16 Jul 2003 16:59:14 EDT, Omen Wild said: > First, it allows tampered files to be caught in real time. If someone > hacked a system and copied in a modified binary (ls, ps, netstat, > etc.), it would be caught the next time the file is executed. The > kernel can print a big fat warning, deny access to the file, or even > shut the system down. The only real advantage doing it in-kernel has is that it prevents a number of race conditions that get opened if the kernel has to make a call to userspace to get a ruling on if a file is OK or not. It would be a non-trivial amount of time to SHA1 (for instance) the OpenOffice binary or Mozilla. See for contrast the bugs that have cropped up with hotplug support, where we get userspace hotplug events running on devices that have already departed, etc..... Of course, a sane policy would make sure that all the directories involved were immutable in some fashion, preventing symlink races and the like, so it's probably NOT a real issue (if you're worried about security, you shouldn't be allowing binaries to be run from /tmp, no matter HOW valid they look. ;)
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 14:29:02 PDT