Results 1 to 3 of 3
how can i make Linux (any distro) run only signed code ? it does not have to be signed by the author ,it can be signed by me. can we ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 01-20-2014 #1
- Join Date
- Dec 2011
Any way i can make linux only run signed code ?
it does not have to be signed by the author ,it can be signed by me.
can we do that ? is it of any practical security benefits ?
- 01-20-2014 #2
- Join Date
- Dec 2013
Signed code is a failed effort of Microsoft to convince the buying public that they were trying to make their OS safe. Linux, and UNIX in general, has a structure that makes it difficult for malevolent code to do damage. Much software is available through package repositories that are safe to use, and as long as you're careful what you run as root, software effectively runs in a sandbox defined by file and directory permissions. Software packages often are "signed" if you like, when downloaded from trusted sources by a hash identity string which can be tested using something like md5sum. This provides some assurance that the contents are as they were when packaged by the source. However, there is no corollary to the MS signing fiasco.
If your were concerned that the machine you are using, for some reason, might have the software altered, you could use a hashing algorithm and store the known hashes of the software somewhere safe - then check that the binary hadn't changed before being executed. This could also be a guard against self modifying code I suppose. Better the simply practise safe computing I'd suggest.
- 01-20-2014 #3
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
Pretty well put. Signing only helps when installing software on Linux systems. It is of zero use when running already installed applications. You can use checksum generating programs such as md5sum, sha256sum, etc to verify that the application you are running is the same as what you installed, but this isn't something you would do automatically when running them, unless the OS supports that capability, which no-one does afaik...Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!