[Linux-aus] Stand up for Linux. Stop Microsoft killing Desktop Linux.

Russell Coker russell at coker.com.au
Sat Sep 24 00:24:32 EST 2011

On Fri, 23 Sep 2011, Adam Nielsen <a.nielsen at shikadi.net> wrote:
> I for one would gladly sign my newly compiled Linux kernel for the
> increased  security it could offer.  Having recently had to clean up a
> rootkit, I look forward to the day when I can set my system up so that
> even root can't run binaries unless they've been signed by my distro.

Having a signed kernel and initrd which then load a signed root filesystem is 
a plausible goal.

Having root not be able to damage the system doesn't seem plausible unless you 
define root to be something very different to the "do anything anywhere" 
definition that usually applies.

Modifying the kernel and dynamic loader to not support unsigned binaries is 
possible.  But then you have to deal with all manner of interpreters.  It 
might be possible to have a usable system where Perl doesn't execute arbitrary 
code (execution of code on stdin being disabled and signature checks on files 
on disk).  But it doesn't seem possible to do that with /bin/sh.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the linux-aus mailing list