On Saturday 01 September 2007, Klaus Schneider wrote: > Hi. > > Well, anybody know a way to make the FreeBSD run just binaries that I > have compiled? > > For example: > A hacker get a access to a shell into my server, and then it put a > exploit code, but on the machine don't have a compiler, then he tries > to put the compiled exploit... supose that I can't mount the users > partition in "noexec" mode... > > Anybode knows a solution for these?
IIRC csjp@ had some code to do this inside the MAC framework. Storing hashes in extended attributes and only allowing execution of signed executables ... http://perforce.freebsd.org/fileLogView.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec/mac%5fchkexec.c ... not sure what became of it, though. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.