RFC: Remove write permissions from executables

David Malcolm dmalcolm at redhat.com
Fri Jan 22 15:25:47 UTC 2010 

On Fri, 2010-01-22 at 12:19 +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits.  This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
> 
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
> 
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
> 
> What do you think?
> 
This sounds to me like:
  - a promising idea
  - something that affects the entire distribution
  - something that could make Fedora slightly more secure, and that bit
more attractive to the more paranoid among us
  - something that could break things
  - something that warrants some testing
  - something that suggests a full rebuild
  - something that we'll want to discuss in documentation, and mention
in release notes

i.e. it seems to me like it's worth going through the Feature process
(either as a Feature or an Enhancement), if only to capture the standard
concerns there and create a URL describing the change; see:
https://fedoraproject.org/wiki/Features

Bear in mind that the deadline for requesting F13 features is in 4 days
time (if memory serves)

How many files would be affected by the change?  All executables on the
system?  Would any of the language runtimes be broken by this change
(e.g. for shebang scripts?)

Hope this is helpful
Dave

More information about the devel mailing list