Roland Mainz wrote: > Hi! > > ---- > > While playing around with "elfsign"&co. I had an idea - would it be > usefull to limit the execution of setuid/setgid executables to signed > elf binaries where the signature have to match a predefined list in the > kernel ? > > At least it would close the hole that hackers may create their own > versions of setuid/setgid executables and implement backdoors that way > for later usage... > > ----
We have certainly considered that type of system operation and I hope that soon we will have some information on the "Signed Execution" project put up on opensolaris.org. Lets just say you aren't the first to make that observation :-) I had this discussion with people even before I had finished implementing the first prototype of the elfsign code. So you are thinking along the same lines as many others! -- Darren J Moffat
