Requiring all files in /usr to be world-readable?
Chris Adams
linux at cmadams.net
Mon Nov 3 14:49:23 UTC 2014
Once upon a time, Miloslav Trmač <mitr at redhat.com> said:
> What is the use case for such a blanket requirement? fpc/467 lists the virt thing I so far disagree with, and other uses cases in there actually need much less than all of /usr.
Some packagers think they are being "clever" sometimes by making
RPM-installed binaries non-world-readable. A (fixed) example I ran into
a few years ago was the BIND packager; they reasoned that only root
should "touch" BIND, so made /usr/sbin/rndc private. However, BIND is
specifically set up to allow secure non-root control (key files), and
this just made it where I had to download the RPM and unpack the rndc
binary somewhere else.
There is nothing gained by making RPM-provided files that are not
locally configured not world-readable, with the possible exception of
something that uses file locks on non-config files (which would be weird
and I don't know of anything that does that).
> Secondarily: The rationale that the executables of suid files are public and thus it is useless to make them non-readable is false for 1) any non-distribution packages
Non-distribution packages, locally installed binaries, etc. are not
covered by any Fedora policies, so please stop bringing up that red
herring.
Security-by-obscurity also doesn't help setuid binaries in the normal
install paths (e.g. /usr/bin), because an attack could easily just
switch over to metadata (file size, timestamps, etc.).
--
Chris Adams <linux at cmadams.net>
More information about the devel
mailing list