Life in an insecure world
C. Scott Ananian
cscott at laptop.org
Mon Feb 9 15:34:40 EST 2009
On Wed, Feb 4, 2009 at 2:18 PM, John Watlington <wad at laptop.org> wrote:
> Is this really true ? If you've removed /versions, how does alt-boot
> find the other image ?
It "could be true". It's easy to remove /versions from the namespace
of the kernel/shell/etc.
It just makes it more difficult to perform the upgrade, since the
upgrader needs to manipulate /versions. You could either (a) mount
/versions read-only (easy, but just requires a malicious user to
'mount -o rw,remount /versions ; /bin/rm -rf /), or (b) mediate
upgrades via the trusted 'oats' daemon (pid 1), which alone has access
to the /versions tree. This was Ivan's original design, but Michael
and I never really worked out how rainbow trusted communication was
supposed to work. IIRC the update protocol does has a separately
signed credential which Sugar can pass to oats to assert that the
requested update action is valid/trusted.
( http://cscott.net/ )
More information about the Devel