[Gambas-user] Security, how to check if a library is genuine?
Brian G
brian at westwoodsvcs.com
Thu Aug 19 21:29:57 CEST 2021
Question if your library and application, have secure permissions, and the app knows where it and the lib should be,
is it really a problem?
Could the system use and have configured app armour/SELinux or the likes?
If some one could replace your library, then perhaps they have root permissions and could therefore replace any security based library down the line.... Or just take the info the app is accessing, or just give themselves the correct group permissions......
Maybe I don't really understand the problem well.
"Failure is the key to success;
each mistake teaches us something" .. Morihei Ueshiba
Brian G
----- On Aug 19, 2021, at 5:36 AM, Christof Thalhofer chrisml at deganius.de wrote:
> Am 19.08.21 um 08:28 schrieb bb:
>
>> I am working on a non-intrusive authorisation method to see if a user
>> is allowed to run an application. In order to do so they must belong to
>> a specific hardcoded group.
>> It is (currently) implemented as a library. So the actual library
>> "could" be replaced by a user with another library that just returns
>> true.
>>
>> So, does anyone have a good idea how the application could check
>> whether "authlib" is the genuine library?
>
> For sure by cryprographically signing the lib's binary. But then you
> need a CA with which you can issue certificates that can be used to
> verify the signature.
>
> Alles Gute
>
> Christof Thalhofer
>
> --
> Dies ist keine Signatur
>
>
>
> ----[ http://gambaswiki.org/wiki/doc/netiquette ]----
More information about the User
mailing list