Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 29 Mar 2001 07:10:55 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 29 Mar 2001 07:10:34 -0500 Received: from helena.mi.uni-erlangen.de ([131.188.103.20]:5772 "EHLO mi.uni-erlangen.de") by vger.kernel.org with ESMTP id ; Thu, 29 Mar 2001 07:10:26 -0500 Date: Thu, 29 Mar 2001 14:05:44 +0200 (MEST) From: Walter Hofmann To: Jesse Pollard cc: Jesse Pollard , Shawn Starr , linux-kernel@vger.kernel.org Subject: Re: Disturbing news.. In-Reply-To: <200103281440.IAA48398@tomcat.admin.navo.hpc.mil> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 28 Mar 2001, Jesse Pollard wrote: > By itself it doesn't - but if you also don't have user/group/world rw and > don't own the file, you can't do anything to it. This is all completely useless. Why not remove world rw permissions in the first place. If the admin isn't even able to write a cron job that does this, all help is lost. > It's only there to reduce accidents. If you want to go full out, > remove the symbols from the file. Just as useless. > Now, if ELF were to be modified, I'd just add a segment checksum > for each segment, then put the checksum in the ELF header as well as > in the/a segment header just to make things harder. At exec time a checksum > verify could (expensive) be done on each segment. A reduced level could be > done only on the data segment or text segment. This would at least force > the virus to completly read the file to regenerate the checksum. So? The virus will just redo the checksum. Sooner or later their will be a routine to do this in libbfd and this all reduces to a single additional line of code. > That change would even allow for signature checks of the checksum if the > signature was stored somewhere else (system binaries/setuid binaries...). > But only in a high risk environment. This could even be used for a scanner > to detect ANY change to binaries (and fast too - signature check of checksums > wouldn't require reading the entire file). One sane way to do this is to store the sig on a ro medium and make the kernel check the sig of every binary before it is run. HOWEVER, this means no compilers will work, and you have to delete all script languages like perl or python (or make all of them check the signature). Useless again, IMO. > In any case, the problem is limited to one user, even if nothing is done. Your best bet is to educate your users. Walter - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/