RFC: Remove write permissions from executables
Miloslav Trmač
mitr at volny.cz
Fri Jan 22 11:19:49 UTC 2010
Hello,
In Fedora 12 several daemons (e.g. dhclient) were modified to drop
unnecessary capabilities, most importantly the "dac_override"
capability, allowing the daemon to ignore file permission bits. This,
in combination with removing some permissions from important system
directories and files (such as /etc/shadow), has restricted the amount
of damage that can be done by exploiting such daemons.
We can extend the protection to all executables by a simple addition to
redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
After applying this patch, executable files in all rebuilt packages
would not be writeable, most often using mode 0555.
I don't expect any problems from this change (it can affect only daemons
that drop capabilities, and executables owned by other users than root);
in the unusual case where making the executeable not writeable did case
some problems, the packager could override the change by explicitly
specifying the required permissions using %attr in the %files section of
the spec file.
What do you think?
Thank you,
Mirek
More information about the devel
mailing list