RFC: Remove write permissions from executables
Mike McLean
mikem.rtp at gmail.com
Mon Jan 25 17:45:26 UTC 2010
2010/1/22 Miloslav Trmač <mitr at volny.cz>:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
I don't quite understand what this gets us. What is the practical
difference between a root:root 0755 binary and a root:root 0555 one?
The owner of a file can grant themselves write permission anyway, so
I'm not sure how this stops an attacker.
Furthermore, when the user is root, the 0555 mode will not prevent
writing as it would for normal users.
More information about the devel
mailing list