Re: [ANNOUNCE] DigSig 0.2: kernel module for digital signature verification for binaries

[Willy Tarreau]

Hi Al,

On Wed, Oct 01, 2003 at 07:24:40PM +0100, viro@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx wrote:
> On Wed, Oct 01, 2003 at 02:14:31PM -0400, Makan Pourzandi wrote:
> > Hi Viro,
> > 
> > Obviously, I failed to show that the main functionality of digsig is to 
> > avoid the execution of __normal__ rootkits, Trojan horses and other 
> > malicious binaries on your system. 
> 
> <shrug> so in a month rootkits get updated and we are back to square 1,
> with additional mess from patch...

I think that's perfectly true, sadly. It may even become the subject of the
phrack article, next to the collection of insmod_without_module_support, etc...

The only useful feature it would provide would be to secure a system against
people who tamper on the media itself, which is fairly trivial on nfsroot. It
may be interesting to ensure that a server farm which all mount their root from
a central server may not be tricked into executing undesired code injected into
the central NFS server.

The same would be true for removable media such as smartmedia, on PDAs or
specialized systems.

Just a few thoughts,
Willy



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/