RFC: Remove write permissions from executables
Serge E. Hallyn
serue at us.ibm.com
Thu Jan 28 15:43:09 UTC 2010
Quoting Richard Zidlicky (rz at linux-m68k.org):
> On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
>
> > > All in all I think it's a shame that the original proposal didn't work
> > > out at this time. Having binaries owned by bin:bin does have Unix (but
> > > not Linux AFAIK) tradition behind it.
> >
> > And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.
>
> read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
> a hook to do whatever is necessary, it is just one program that needs modified.
> Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides
> less protection.
Oh, right, this is for /bin and /sbin only isn't it - so ro fs could
be good. I was thinking about /etc, which I guess isn't being considered
yet.
-serge
More information about the devel
mailing list