Hi! > > > > > > If I understand you, then you are claiming that steps (ii) to (v) > > > introduce buffer overflows in bash or show_etc_issue. How? > > > > No, I'm not claiming that. You are certainly *not* introducing any new > > problems. > > > > But some problems that used to be harmless (buffer overrun in > > show_etc_issue command) are not harmless any more. > > How is a buffer overrun in a script/application less "harmless" with IMA? > Please be specific. Preliminary IMA patches are out on the mailing lists. > > The only thing that IMA does with respect to existing known buffer > overruns is that it enables remote parties to know that there is an application > with a known buffer overrun if this application/script was measured. Such > information is sensitive and this is one reason why direct access to the > measurements are restricted to authorized/trusted parties. Well, you'll have to add measurement of any security-sensitive config file, any script, and will have to make sure that all parsing of system config files does not contain buffer-overrun problems. That's lot of work before IMA is usefull. It is true you do not make situation any worse. Good luck and go ahead. Pavel
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 14:59:11 PDT