Re: FC12: Hidden files in /usr/bin/*

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Przemek Klosowski <przemek.klosowski@xxxxxxxx> writes:
> On 01/22/2010 11:11 AM, Ralf Corsepius wrote:
>> Does it really mandate pollution /usr/bin and thus $PATH?

> OK, I see, you don't object to the checksums in principle, just to the 
> location of the files. I don't believe that FIPS requires a specific 
> location for the checksums---it's just that they are to be found 
> somewhere. I can see two possible solutions:

> - fipscheck looks for the checksum in some standard location, for 
> instance /lib/lib64/hmac/usr/bin/xyz, similar to how it was done in RHEL5

> - we find a way to stick the checksum in the executable itself, either 
> by being clever about computing a checksum that will agree with the 
> executable AFTER the checksum is written in (I have no idea how to do 
> that) or by excluding the checksum field from the checksum calculation.

I'm far from an expert in this, but I thought the intent of the FIPS
standard here was to check the executables against some *separately
stored* validation information.  Standard or not, your second suggestion
seems rather pointless --- an embedded checksum is 100% useless from any
security perspective, since someone who could modify the file could
change the checksum too.  (I'm assuming it's just a checksum and not
any sort of digital signature.)

The separate /lib directory tree seems the way to go, to me.  That way
the checksum files could be named the same as what they check, no magic
needed.

			regards, tom lane
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux