[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keeping files away from users - THANKS!!

Good evening (here in Spain) to all of you.

I want to sincerely thank you all for the great feedback received on this 
topic. I would never have expected to receive some 20 answers in such a short 
time! Let me take my time to write your names, because you deserve it:
Thank you Dariush, Adam, Marcel, Lars, Thomas, Peter, Harry, Koba, Ross, 
Adrian, and all the others who read the mail.

We've seen lots of interesting points, some of which I'll comment now:

- REMOTE PASSWORD SERVER. It avoids me from having to hardcode the cipher key 
somewhere in the filesystem, but presents two handicaps: What if they lose 
connection to the Net? and What if they put the HD in another machine, remove 
the root password, and put it back in the original machine? By doing this, 
the system would boot normally, would get the cipher key and mount the 
protected contents, and later they could login as root and access those 
contents.

- CIPHER KEY BASED ON THE HARDWARE. They can still remove the root password 
and boot the drive again with its original hardware. Moreover it has the 
disadvantage of having to recalculate the password and recipher the container 
if any hardware component changes. I still have to study Marcel's point about 
Palladium.

- MANUALLY ENTER THE PASSWORD LOGGING REMOTELY WHEN SYSTEM BOOTS UP. This one 
introduces the sixth sense of the sysadmin (i.e., me) who could take a look 
around before entering the pass (check that /etc/passwd is untouched, noone 
is logged in...). Even in that case the machine could have been trojanized, 
although we could check that point with software packages such as Tiger or 
Samhain (eh Javier!! ;D ) making it more difficult for a potential intruder 
to neutralize all of our monitoring tools.

- TEMPORARILY MOUNT, LET PROGRAMS READ FILES INTO MEMORY, THEN UNMOUNT. 
Unfortunately this one isn't possible, as the protected data won't be config 
files for services, but rather .html and .php pages which need to be accessed 
very often. It was a good point, I must say.

Other interesting things to look at:

- LICENSING ISSUES. As Peter Cordes commented, the kernel is GPL so if we 
integrate code into it, we cannot provide a binary-only version, we should 
also give away the sources (or use modules, but we want a monolythic kernel 
for obvious security reasons). However I don't see the problem in thinking of 
something like this, implementing it, documenting, giving away to the 
community... and later configuring it for our particular needs, so that a 
client cannot (initially, at least) break it.

I have to leave right now, and I'm taking a copy of this mail to discuss it 
with my colleagues. Will continue writing on the topic later or tomorrow, 
probably.

Again, thanks to all for your great pieces of advice

Yours

	The Pope - Luis Gomez

-- 
Luis Gomez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
lgomez@infoemergencias.com

PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Reply to: