On Thu, Jan 28, 2010 at 09:43:09AM -0600, Serge E. Hallyn wrote:
> Quoting Richard Zidlicky (firstname.lastname@example.org):
> > On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
> > > > All in all I think it's a shame that the original proposal didn't work
> > > > out at this time. Having binaries owned by bin:bin does have Unix (but
> > > > not Linux AFAIK) tradition behind it.
> > >
> > > And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.
> > read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
> > a hook to do whatever is necessary, it is just one program that needs modified.
> > Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides
> > less protection.
> Oh, right, this is for /bin and /sbin only isn't it - so ro fs could
> be good. I was thinking about /etc, which I guess isn't being considered
it was more about the /usr fs. Yes, to have /etc ro it seems many hundreds of packages
would need changes. There is a long history of trying to make eg root ro and it is surely
used for specialised tasks sometimes.
devel mailing list