| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LRH.2.21.1906281552350.26685@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.inter>
Date: Fri, 28 Jun 2019 16:27:28 -0700 (PDT)
From: Jaskaran Singh Khurana <jaskarankhurana@...ux.microsoft.com>
To: Eric Biggers <ebiggers@...nel.org>
cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-fsdevel@...r.kernel.org, agk@...hat.com, snitzer@...hat.com,
dm-devel@...hat.com, jmorris@...ei.org, scottsh@...rosoft.com,
mpatocka@...hat.com, gmazyland@...il.com
Subject: Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig
validation.
Hello Eric,
On Fri, 28 Jun 2019, Eric Biggers wrote:
>> In a datacenter like environment, this will protect the system from below
>> attacks:
>>
>> 1.Prevents attacker from deploying scripts that run arbitrary executables on the system.
>> 2.Prevents physically present malicious admin to run arbitrary code on the
>> machine.
>>
>> Regards,
>> Jaskaran
>
> So you are trying to protect against people who already have a root shell?
>
> Can't they just e.g. run /usr/bin/python and type in some Python code?
>
> Or run /usr/bin/curl and upload all your secret data to their server.
>
> - Eric
>
You are correct, it would not be feasible for a general purpose distro,
but for embedded systems and other cases where there is a more tightly
locked-down system.
Regards,
Jaskaran.
Powered by blists - more mailing lists