Quoting Arjan van de Ven ([email protected]):
>
> > A one time effort to write it *and sign it*.
> you don't sign nor need to sign perl or bash scripts. Why would a loader
> be written in ELF itself? There's absolutely no reason for that.
Yup, that's an unfortunate shortcoming. We'd been wanting to re-post to
lkml for a long time to get ideas to fix that.
I had an extension to digsig earlier which enabled signing shellscripts
using xattrs (just because it was a trivial task), but that's clearly
insufficient as it would catch "./myscript.pl" but not "perl
myscript.pl".
For now obviously the only thing to do is make sure that sensitive
accounts (i.e. accounts not severely restricted through selinux) can't
use anything but, say, rsh. I assume this is what previous posters
using digsig do?
Anyone have any better ideas for properly handling shellscripts?
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
