FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-29-2010, 03:54 PM
Richard Zidlicky
 
Default RFC: Remove write permissions from executables

On Thu, Jan 28, 2010 at 09:43:09AM -0600, Serge E. Hallyn wrote:
> Quoting Richard Zidlicky (rz@linux-m68k.org):
> > On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
> >
> > > > All in all I think it's a shame that the original proposal didn't work
> > > > out at this time. Having binaries owned by bin:bin does have Unix (but
> > > > not Linux AFAIK) tradition behind it.
> > >
> > > And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.
> >
> > read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
> > a hook to do whatever is necessary, it is just one program that needs modified.
> > Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides
> > less protection.
>
> Oh, right, this is for /bin and /sbin only isn't it - so ro fs could
> be good. I was thinking about /etc, which I guess isn't being considered
> yet.

it was more about the /usr fs. Yes, to have /etc ro it seems many hundreds of packages
would need changes. There is a long history of trying to make eg root ro and it is surely
used for specialised tasks sometimes.

Richard
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 03:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org