Re: md5sums files
On Wed, Mar 03, 2010 at 03:16:08PM +0100, Bernhard R. Link wrote:
> * Harald Braumann <firstname.lastname@example.org> [100303 14:49]:
> > But it would be great if the whole chain, from beginning to end, was
> > secured, even against a malicious and presumably very powerful attackers.
> Checksums for files coming from packages is not really useful to defend
> against attackers (it's really only reliablity and not security):
> - an attacker can just divert any binary away and put it's own there.
It's not about preventing an attack, but detecting it. With cryptographically
strong hashes/signatures in place, you can audit the system. Of course you'd
have to boot from a trusted medium. How would you do that without signatures?
> - an attacker can just add some additional binary where it will override
> another one (/sbin overriding /usr/sbin and so on).
> - an attacker can add things to configuration and startup files
> (thanks to .d directories you often not even need changing but only
> adding files), including search binary or library paths, so one could
> add binaries or behaviour changing libraries in directories not
> looking that suspicious.
Yes, a full IDS needs additional work. It would have to check for files
without hashes/signatures and would have to allow you to hash and sign
files in /etc, /usr/local, /opt, whatever).
> Most of those things can perhaps be fixed, but it needs much work
> than just replacing some hash. (And many of those tasks might also
> improve other areas (like http://packages.debian.org/cruft also having
> the problem that packages create so many files and there is no way a
> package can tell such programs where they are).