Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Default Deny on Executables

From: miah <miah () chia-pet org>
Date: Wed, 14 Sep 2005 12:28:33 -0400
On Wed, Sep 14, 2005 at 10:51:05AM -0500, El Nahual wrote:

There are couple of tools that do this, problem is most of them sign inside
the binary which makes harder to actually put this kinda solution in mass
production 8specially if you clone machines and that kinda stuff)


Why would that make it harder?  Its not like the binary will have a
different signature on each system, its going to be the same file.  Look
at it from a distro perspective.  If Redhat were to sign all their
binaries, the signature would be the same on each file on each installed
system, and you'd be able to verify it actually came from Redhat by
checking that signature and comparing it to Redhat's online database (if
they had such a thing).  

RPM has that basic functionality built in, the RPM's are signed, and the
rpm knows the md5sum of each file it contains, using RPM you can easily
determine if a file owned by a RPM has been modified (so long as somebody
hasn't modified the rpm database).

-miah
Previous By Date Next
Previous By Thread Next

Current thread: