Re: Default Deny on Executables

["Andrew R. Reiter" <arr () watson org>]

On Wed, 14 Sep 2005, miah wrote:

:On Wed, Sep 14, 2005 at 10:51:05AM -0500, El Nahual wrote:
:> There are couple of tools that do this, problem is most of them sign inside
:> the binary which makes harder to actually put this kinda solution in mass
:> production 8specially if you clone machines and that kinda stuff)
:
:Why would that make it harder?  Its not like the binary will have a
:different signature on each system, its going to be the same file.  Look
:at it from a distro perspective.  If Redhat were to sign all their
:binaries, the signature would be the same on each file on each installed
:system, and you'd be able to verify it actually came from Redhat by
:checking that signature and comparing it to Redhat's online database (if
:they had such a thing).  
:
:RPM has that basic functionality built in, the RPM's are signed, and the
:rpm knows the md5sum of each file it contains, using RPM you can easily
:determine if a file owned by a RPM has been modified (so long as somebody
:hasn't modified the rpm database).
:

While this is on a different OS, I've seen numerous installer packages 
modify the binary being put onto the machine to include various 
information (OS version, arch, install time).  So, if for any reason, 
there are installation packages that do modify ELF files (I've never 
looked into this), you might have issues.  But I don't see this as a 
common thing to *nix -- though I've not looked into it.

Cheers,
Andrew

-------------------------------------------------------------
  "Natural bridges on a clean west swell,
     Break over the reef like a bat of out hell." -- Sublime.