Subject: Re: veriexecgen: removing duplicate files
To: None <elad@NetBSD.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-userlevel
Date: 10/30/2006 09:23:21
> YAMAMOTO Takashi wrote:
> >> Hi, currently veriexecgen will create a seperate entry in a fingerprintdb file
> >> for hard-links. The attached patch only adds one entry per inode/device number.
> >> Is it safe to use inode/device pairs for this purpose? Comments?
> >
> > what's the point to exclude hardlinks?
>
> just a way to keep files smaller; it doesn't really matter because
> veriexec will handle it okay regardless...
>
> -e.
1. consider the following two are hardlinks of the same binary.
/bin/foo
/bin/bar
2. you run fpgen for /bin/*. it creates a db which only contains /bin/foo.
3. someone removes /bin/bar and installs another version of /bin/bar.
4. now the db doesn't cover /bin/bar.
isn't it a problem?
(i don't claim i understand the model of veriexec. :-)
YAMAMOTO Takashi