FC12: Hidden files in /usr/bin/*
Tom Lane
tgl at redhat.com
Fri Jan 22 19:03:43 UTC 2010
Przemek Klosowski <przemek.klosowski at nist.gov> writes:
> On 01/22/2010 11:11 AM, Ralf Corsepius wrote:
>> Does it really mandate pollution /usr/bin and thus $PATH?
> OK, I see, you don't object to the checksums in principle, just to the
> location of the files. I don't believe that FIPS requires a specific
> location for the checksums---it's just that they are to be found
> somewhere. I can see two possible solutions:
> - fipscheck looks for the checksum in some standard location, for
> instance /lib/lib64/hmac/usr/bin/xyz, similar to how it was done in RHEL5
> - we find a way to stick the checksum in the executable itself, either
> by being clever about computing a checksum that will agree with the
> executable AFTER the checksum is written in (I have no idea how to do
> that) or by excluding the checksum field from the checksum calculation.
I'm far from an expert in this, but I thought the intent of the FIPS
standard here was to check the executables against some *separately
stored* validation information. Standard or not, your second suggestion
seems rather pointless --- an embedded checksum is 100% useless from any
security perspective, since someone who could modify the file could
change the checksum too. (I'm assuming it's just a checksum and not
any sort of digital signature.)
The separate /lib directory tree seems the way to go, to me. That way
the checksum files could be named the same as what they check, no magic
needed.
regards, tom lane
More information about the devel
mailing list