RFC: Remove write permissions from executables
Richard Zidlicky
rz at linux-m68k.org
Thu Jan 28 10:28:18 UTC 2010
On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
> > All in all I think it's a shame that the original proposal didn't work
> > out at this time. Having binaries owned by bin:bin does have Unix (but
> > not Linux AFAIK) tradition behind it.
>
> And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.
read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
a hook to do whatever is necessary, it is just one program that needs modified.
Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides
less protection.
Richard
More information about the devel
mailing list