RFC: Remove write permissions from executables
Stefan Schulze Frielinghaus
stefan at seekline.net
Tue Jan 26 10:16:19 UTC 2010
On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource at till.name> wrote:
> > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> >
> >> Furthermore, when the user is root, the 0555 mode will not prevent
> >> writing as it would for normal users.
> >
> > It does not matter, whether the user is root, but whether he has the
> > dac_override capability. If you read the original mail (1st paragraph)
> > again with this in mind, you will understand the reason for the change.
>
> Does a lack of the dac_override capability prevent root from chmod'ing
> its own files?
I had the same question too ;-) and did a quick test. The result was, if
you drop all capabilities, you are still allowed to chmod your files.
So the benefit of removing write permissions is questionable to me.
Maybe someone else can bring in some light?
PS: Testing was done via the attached application.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.c
Type: text/x-csrc
Size: 464 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100126/3a17c1c7/attachment.bin
More information about the devel
mailing list