On Tue, Dec 22, 1998 at 11:05:20PM -0000, D. J. Bernstein wrote:
> Peter C. Norton writes:
> > /etc/aliases.db however is a dynamic file. However verifying it can
> > be easily done by a human with fairly standard interperters like perl,
> > or python, or with a small c program. In fact, these programs could
> > easily parse for the tokens that indicate danger.
>
> And what exactly is the advantage of this vaporware, compared to the
> obvious solution---namely, recreating /etc/aliases.db?
Don't you want to know how you're being attacked?
> > Can I do this with qmail's binaries?
>
> With a var-qmail package, yes, of course you could write a program to
> verify the bin/* integrity. In fact, it would be a simple shell script.
> See qmail-1.03/BIN.Makefile. But it's even easier to recreate the files.
But it's not possible to do this across multiple systems that have
different uid's. Why not? Your assumption that its easier to recreate
the files does not hold true under all conditions, especially not
conditions where security is important and compilers and associated
tools are disabled (i.e. bastion hosts, firewalls). What if its not
easier to recreate the files?
As to why I'd rather not have to recreate the files - if I'm following
a break-in, I have more useful things to do, like find the schmuck who
did it. Being able to verify binaries on a large number of systems
helps me do that. Being stuck having to reinstall on a
system-by-system basis just sucks.
> > > If you can verify /etc/aliases.db, why can't you verify the qmail files?
> > The qmail binaries are static after installation.
>
> Explain. Why would it be _harder_ to verify static files?
Please note the word "after" in there. qmail binaries are, by your
design, not necessarily static after compilation. If you have to keep
a database of this verification information then you lose the ability
to have a read-only known good checksum for all systems. Your
database has to be writeable if you're not verifying files that are
static from linking onwards.
So let me rephrase myself: The qmail binaries are only potentially
static before their installation. The qmail design provides no
guarantee that they should remain static after installation, even in
normal use. This makes my duties at many times more arduous, and that
makes me less reliable, and if I'm less reliable and my tools add to
that unreliablity by causing me more work, then IMO the tool can stand
to be improved.
-Peter
