From: Thor Lancelot Simon (tlspanix.com)
Date: Thu Sep 23 2010 - 13:56:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 23, 2010 at 12:17:20PM -0400, Jan Schaumann wrote:
> >
> > actually, veriexec can be more subtle than that. You can bless
> > certain shell scripts but deny the direct invocation of the shell
> > interpreter.
>
> But that requires me explicitly stating which scripts are allowed to
> run, right? What I'm looking for is a way to allow any arbitrary script
> to be executed so long as it's signed by an entity I previously
> identified. If no signature is found, the signature does not verify or
> is not by the entity I declared, then execution is refused.

So you need the shell to be the thing whose fingerprint is known to the
kernel, and the interpreted scripts to be known to the shell.

Thor

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]