Requiring all files in /usr to be world-readable?

Lennart Poettering mzerqung at
Sun Nov 2 17:15:05 UTC 2014

On Fri, 31.10.14 10:04, Andrew Lutomirski (luto at wrote:

> I filed an FPC ticket:
> Thoughts?

I very much agree with this, but I'd really prefer if we'd list what
is allowed rather than just declare what is forbidden.

A short list like this should be everything we should allow in /usr:

  a) symlinks
  b) directories with access mode 0555
  c) files with access mode 0444 (optionally 0644 if owned by root user)
  d) files with access mode 0555 (optionally 0755 if owned by root user)
  e) files with access mode 2555 (optionally 2755 if owned by root user)
  f) files with access mode 4555

Or something like that. 

That said, there appears to be some form of cargo-cult programming
around, for example the audit packages carries a lot of non-sensical
access modes, for security theatre reasons. Good luck with getting
that package fixed! 


Lennart Poettering, Red Hat

More information about the devel mailing list