On Sun, 2 Sep 2007, Max Laier wrote:
On Saturday 01 September 2007, Klaus Schneider wrote:
Well, anybody know a way to make the FreeBSD run just binaries that I have
compiled?
For example: A hacker get a access to a shell into my server, and then it
put a exploit code, but on the machine don't have a compiler, then he tries
to put the compiled exploit... supose that I can't mount the users
partition in "noexec" mode...
Anybode knows a solution for these?
IIRC csjp@ had some code to do this inside the MAC framework. Storing
hashes in extended attributes and only allowing execution of signed
executables ...
http://perforce.freebsd.org/fileLogView.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec/mac%5fchkexec.c
... not sure what became of it, though.
I believe he also was able to verify other things, such as shared libraries,
which for modern binaries is the obvious next step given that a fair chunk of
code run in many programs isn't in the main program binary.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
