RFC: Remove write permissions from executables

[Garrett Holmstrom]

2010/1/22 Miloslav Trmač <mitr at volny.cz>:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits.  This,
> in combination with removing some permissions from important system
> directories and files (such as /etc/shadow), has restricted the amount
> of damage that can be done by exploiting such daemons.
>
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
>
> I don't expect any problems from this change (it can affect only daemons
> that drop capabilities, and executables owned by other users than root);
> in the unusual case where making the executeable not writeable did case
> some problems, the packager could override the change by explicitly
> specifying the required permissions using %attr in the %files section of
> the spec file.
>
> What do you think?

I presume this isn't going to break prelink?

--
Garrett Holmstrom