Life in an insecure world

C. Scott Ananian cscott at
Mon Feb 9 15:34:40 EST 2009

On Wed, Feb 4, 2009 at 2:18 PM, John Watlington <wad at> wrote:
> Is this really true ?   If you've removed /versions, how does alt-boot
> find the other image ?

It "could be true".  It's easy to remove /versions from the namespace
of the kernel/shell/etc.
It just makes it more difficult to perform the upgrade, since the
upgrader needs to manipulate /versions.  You could either (a) mount
/versions read-only (easy, but just requires a malicious user to
'mount -o rw,remount /versions ; /bin/rm -rf /), or (b) mediate
upgrades via the trusted 'oats' daemon (pid 1), which alone has access
to the /versions tree.  This was Ivan's original design, but Michael
and I never really worked out how rainbow trusted communication was
supposed to work.  IIRC the update protocol does has a separately
signed credential which Sugar can pass to oats to assert that the
requested update action is valid/trusted.

                         ( )

More information about the Devel mailing list