Paul Jakma wrote:
>
> On Sun, 20 Feb 2000, Andreas Gruenbacher wrote:
>
> > The kernel should boot up in non-trusted mode (with root and SUID root binaries
> > recieving full capabilities, as it's implemented now).
> >
> > A simple syscall could then switch the kernel to trusted mode. Afterwards, root
> > is treated as all other others.
> >
> > Switching to trusted mode then can easily be done in init scripts, ...
> >
> > Of course, there shouldn't be a way to switch back to non-trusted mode...
> >
>
> there shouldn't be any switch at any time.
>
> Either your installation is compatible with a trust kernel or it's not.
> And if it is, then by booting up in non-trusted mode you leave a small
> window where the system is at risk. And hence switching to trusted mode
> would be meaningless.
It all depends on your risk evaluation. Once you gain physical access to a
machine, there's no real protection anymore. If the goal is merely to protect
the system from attacks over the network, switching to trusted mode before the
network interfaces are initializes is perfectly safe.
Regards,
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, a.gruenbacher@computer.org
Contact information: http://www.bestbits.at/~agruenba
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:28 EST