Security :: Only Executing Signed Code?
Feb 23, 2011
build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign etc. signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).Does anyone have a good idea how to solve this problem?The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.Any tipps, links, literatureOne approach I came up with (just a rough idea at the moment):Linux starts new processes with a fork-and-exec-combination. I therefore wonder if it is possible to change exec() in such a way that it will only execute signed programs
View 5 Replies
ADVERTISEMENT
Jan 28, 2011
Slipping some (non-root) user a piece of malignant code that he or she executes might be considered as one of the highest security breaches possible. (The only higher I can see is actually accessing the root user) What can an attacker effectively do when he/she gets a standard, (let's say a normal Ubuntu user) to execute code? Where would an attacker go from there? What would that piece of code do?
Let's say that the user is not stupid enough to be lured into entering the root/sudo password into a form/program she doesn't know. Only software from trusted sources is installed. The way I see it there is not really much one could do, is there?
Addition: I partially ask this because I am thinking of granting some people shell (non-root) access to my server. They should be able to have normal access to programs. I want them to be able to compile programs with gcc. So there will definitely be arbitrary code run in user-space...
View 2 Replies
View Related
Oct 14, 2010
am trying to upload packages o a PPA (packages that contain custom "sources.list"s designed to make upgrades or downgrades between Ubuntu releases easier) and, even after going through all that work to manually generate a key and sign them with gpg, dput still rejects them as "not signed".
View 3 Replies
View Related
Apr 5, 2010
Has anyone setup a system to only allow digitall signed (i.e. approved USB disk drives) to be used on a Linux System.
View 1 Replies
View Related
Feb 11, 2011
When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server? Am I just completely off base? Sorry, I'm a bit of a newb with the SSL pieces.
I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system.
I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Am I doing something wrong in this whole process?
1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048
2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr
3) Sign the new CSR so that it can be used as the root certificate openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
4) On server1, create Server Private Key KeyStore keytool -genkey -alias server1 -keysize 2048 -keyalg RSA keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
6) Transfer the CSR over to the CA (server1) so that it can be signed openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
7) Transfer CA Public Cert to server1 and Import into keytool keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
8) Import recently signed CSR to app server keystore (This is where I receive the error) keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
View 1 Replies
View Related
Nov 2, 2010
I have an application, probably cpu-intensive because sometimes it leaves the cpu with 0% idle (in top). Sometimes it hangs ("Done" does not print) when executing this part, but most of the time it executes just fine. Is there any wrong with this code?
View 2 Replies
View Related
Apr 7, 2011
I'm still a but confused about the standard way of removing it for left-associative operators: [URL] Especially about how to construct an AST from it by executing a peice of code for every nonterminal matched. And I'm still not totally convinced that it will be left-associative, I just barely understand it. Also, how would you remove left-recursion for something like this:
Code:
expr ::= expr "(" param_list ")"
| other stuff...?
View 8 Replies
View Related
Jul 18, 2010
for reset Facebook password,facebook send a code to e-mail,this code can be sniffed by sniff software?
View 2 Replies
View Related
Mar 1, 2011
if I executed a Windows Virus in the program "Wine" in Ubuntu.
View 9 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
May 5, 2010
Google just announced the release of Jarlsberg, a microblogging app specifically designed to be full of bugs and security flaws.The app is being released through Google Labs and Google Code University as a security tutorial for coders. Google is encouraging programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code.
View 1 Replies
View Related
May 14, 2010
I am trying to find the source code behind mkpasswd which I apt-getted from universe. I am trying to code a similar app in Java and want to see how the salt is implemented in the /etc/shadow file.
Bu I just can't seem to find any source about that particular program...
View 2 Replies
View Related
Aug 18, 2010
i've been looking around on the web as well as here on the forums for a cain and abel source code or a dpkg if i'm lucky LOL. It's getting to be a pain in the butt to go from ubu to my win7 partition for other security tools... I'm trying to look good for an internship here and this is getting to be a pain in the butt. Some people have said in outside forums there is source code and i have build-essentials installed so i figured i'd try that but i'm sitting here at almost 1am still trying to find it!
View 3 Replies
View Related
Jul 15, 2011
I just created an rpm and went to install it on another fc12 vm - it said the package was not signed. I searched on this and one place said to edit the yum.conf file to:
gpgcheck=0
View 2 Replies
View Related
Apr 28, 2011
I'm using a hp dualprocessor athlon 11 g42-415dx notebook pc and my wireless wont work i put the passcode in wicd program and it says bad password. So i tried the pin code on the wireless router and that didnt work so am i doing something wrong or is there something wrong with the hardware? i got the wired connection to work but cant get wireless its a little more complex.
View 1 Replies
View Related
Feb 9, 2010
how to write secure code for bash scripts in general? Strangely I didn't found anything in google and in the forum so far. If someone here is willing to review a bash script for me (about 600 lines).
View 6 Replies
View Related
May 16, 2011
How can I add self-signed certificates to e.g: Google Chrome under Linux (from the command line)?
View 1 Replies
View Related
Jul 22, 2009
I have a server which I use for mail:
[URL]
The above is the machines actual FQDN. Now because I also use it as a web server to access my website and webmail, I have a pointer record with my domain registrar to also forward all [URL] to the same IP as [URL]. when I generate a SSL self signed certificate for my server. Do I generate one for [URL] or [URL]?
View 2 Replies
View Related
Nov 19, 2009
i just read that in fc12 you can install sighned packages without root password?
View 1 Replies
View Related
Dec 30, 2010
Solving issues with signed and unsigned numbers in BASH.For a start, Yes, BASH is type independent � I know that. My problem lays in catching executables output into a BASH variable.My executables are not quite UNIX compatible, where returned values are 0 for OK, >0 ERROR. They return 0 for OK, >0 WARNING (only, so move on) and <0 ERROR (abort) instead.
Code:
// C++ BIN A
int main(){
[code]...
View 4 Replies
View Related
Jan 14, 2011
Updating my install of OpenSUSE from 11.0 to 11.3 and notice that the Nagios network monitor can no longer probe servers with self signed certs.It appears to be any monitor that used openssl 1.0.0 has an issue. If I install the openssl 0.9.8 libraries and use old plugins linked against it, they work fine.
View 9 Replies
View Related
Mar 21, 2011
When I tried to install LibreOffice 3.3_64 on my Fedora14_64 I received the following error:
Package libobasis3.3-extension-pdf-import-3.3.1-8.x86_64.rpm is not signed Has anyone run into this? Is there a way to fix this?
View 2 Replies
View Related
Dec 27, 2010
Things beyond my control are causing me to rush a bit in getting the website moved. I'm working hard to try and get it done, but something else has come up that SSL Certificate.I know that our website's "basket" area is protected by an SSL certificate to ensure customer information, especially credit info, is secure. With the move to Amazon's service, it looks like I may need to create our own self-signed SSL certificate to ensure the basket area remains secure.
I have found guides that walk through how to make one yourself and configuring apache to allow it, but something else has come to mind. The guides I found don't really indicate where the SSL certificate goes afterwards, and also doesn't suggest which sections should be governed by the certificate (as only the basket section uses it, not anything else). How would I find out that information?
View 1 Replies
View Related
Feb 17, 2010
I have a Server with Webmin, Usermin and Sendmail using pop3s. I have created a seft signed certificate using webmin. Exported it and imported it to the trusted root certification authorities on my client. This fixes the warning message from internet explorer when attempting making a ssl connection to webmin. When attempting to use usermin or retrieving mail I get that warning that this site's certificate is self signed. I look at the certificate and its not the same as the one I created with webmin. My question is. Is possible to have the same certificate be used by each?
View 6 Replies
View Related
Sep 2, 2010
I'm looking to edit my grub.cfg file to add the "pci=routeirq" code to the kernel line so I can configure my modem in Ubuntu. I'm happy with assigning a temporary permission to myself over the root file so I don't accidentally alter it later.
View 3 Replies
View Related
Mar 30, 2011
I need to rewrite the selenium java code into its equivalent php code.
View 5 Replies
View Related
Jun 24, 2011
I've got an uber simple test mail script in php on my awesome new dev machine running Ubuntu:
PHP Code:
Unfortunately, something is preventing mail delivery. I can't tell from this error log whether it's the remote machine rejecting me or whether it's my machine rejecting the self-signed cert on the remote machine:
Code:
I'm wondering what I could change in my postfix configuration to remedy this problem.
I tried setting smtp_tls_security_level = may = may but this did not change anything.
View 10 Replies
View Related
Aug 24, 2010
I run a web server on Fedora 12, principally using Apache, MySQL, and PHP. I host a variety of sites, one of which is a family website that contains semi-sensitive personal data for several hundred extended family members, who all have access to the database-driven site.
Until now, I have been using a self-signed SSL certificate to encrypt the data as it is read and written back and forth from my database. Family members have simply had to put up with clicking past certificate warnings as they enter the site, as most browsers flag self-signed certificates as bad. It hasn't really been that much of a bother, but I'd love to do it more professionally. I have looked into buying SSL certificates, but it's a site I host for free and would rather find a cheap or free alternative if possible.
So I'm just fishing for ideas to work with. What are some alternatives to using SSL certificates for moderately strong website encryption? So far, I run only one host on the domain, but may eventually need encryption that would support multiple hosts. Or does anybody know a way to make self-signed certificates work on most popular browsers without being flagged as suspicious?
View 7 Replies
View Related
Sep 23, 2010
I have configured yum server on my RHEL 5.x box. I just tried to install a particular RPM which is in fact a reference manual of MySQL. Here is what I did:First, listing the available packages:
Code:
[root@mahadeva ~]# yum list available
Loading "rhnplugin" plugin
[code]....
View 6 Replies
View Related
Sep 1, 2011
I am a xfce user. I have a list of wallpapers and I wanted to change them every 5 minutes Initially I was using a simple command in crontab entry to change it, Quote: */5 * * * * xfdesktop --reload it was working but it would crash xfdesktop process after few changes and the screen would be all grey. To solve this issues I wrote a simple script which would check if xfdesktop is alive and if yes it would call xfdesktop --reload else start xfdesktop I called this script idesktop & its path is ~/.bin/idesktop
[Code]....
View 8 Replies
View Related
