Man Page Lookup - vexec.conf

VEXEC.CONF(5)             OpenBSD Programmer's Manual            VEXEC.CONF(5)

NAME
     vexec.conf - Vexec configuration file

DESCRIPTION
     vexec.conf is the main database for Vexec fingerprint information. It
     contains lines describing files, their associated fingerprints, and ac-
     cess modes.

     vexec.conf contains lines with fields (separated by one or more whites-
     paces) in the following form:

           path type fingerprint options

     Where path is the absolute path to the file and fingerprint is a hexadec-
     imal representation of the fingerprint for the file.

     Type is the type of fingerprint used, currently this may be ``MD5'',
     ``SHA1'', ``SHA256'', ``SHA384'', ``SHA512'', or ``RMD160''; but other
     types may be available depending on kernel support.

     Options are the associated options for the executable. Currently there
     are three valid options:

     DIRECT    The file may be executed in any form; no checking is done on
               arguments.

     INDIRECT  If this option is set then the executable cannot be invoked di-
               rectly, and can only be used as an interpreter in scripts
               ("hash-bang"). Arguments are checked for trusted-path if TPE is
               enabled.

     SHELL     This is a mixed option initially added for shells. Executables
               with this flag will be allowed both direct/indirect execution,
               as shells are both invoked directly for login sessions and in-
               directly for scripts - but also have their arguments checked;
               so that in case TPE is enabled, it is enforced on shell scripts
               passed as arguments to the shell.

     FILE      Indicates that the fingerprint is associated with a regular
               file, not an executable. Files have their fingerprints verified
               during open(2) and are automatically made read only.

     If neither of the options is specified, ``DIRECT'' is assumed.

     To allow splitting large databases over several files, the ``include''
     keyword is introduced. It takes the form of:

           inlcude filename

     Where filename is a path to the file to be included. Any path that
     fopen(3) can handle is okay. By default, include depth is limited to 16,
     which should be more than enough.

     Comments start with a `#' character and span to the end of the line.

EXAMPLES
     Below are some examples of entries you could use. Just don't forget to
     generate your own fingerprints!

     Check pathname arguments passed to /bin/sh:

           /bin/sh MD5 b1103a7861f1f5e9f9f4ed4b2c95f1aa SHELL

     Don't run trojanned copies of OpenSSH:

           /usr/bin/ssh MD5 41a0ea2ea0b2b70674110a5a81110e1d

     Make perl available only in scripts:

           /usr/bin/perl MD5 466a8291a48afe74e1782918f889b506 INDIRECT

     Get notification of changes in pf.conf when loading a ruleset with bad
     fingerprint:

           /etc/pf.conf MD5 93427f18bd0097987e35e04a68fd1875 FILE

SEE ALSO
     vexecctl(8), vexec(4), stephanie(7)

AUTHORS
     br1an <brian@ethernet.org> wrote and maintains Vexec and Stephanie for
     OpenBSD 3.6.

OpenBSD 3.6                     August 1, 2004                               2