Requiring all files in /usr to be world-readable?
Lennart Poettering
mzerqung at 0pointer.de
Sun Nov 2 17:15:05 UTC 2014
On Fri, 31.10.14 10:04, Andrew Lutomirski (luto at mit.edu) wrote:
> I filed an FPC ticket: https://fedorahosted.org/fpc/ticket/467
>
> Thoughts?
I very much agree with this, but I'd really prefer if we'd list what
is allowed rather than just declare what is forbidden.
A short list like this should be everything we should allow in /usr:
a) symlinks
b) directories with access mode 0555
c) files with access mode 0444 (optionally 0644 if owned by root user)
d) files with access mode 0555 (optionally 0755 if owned by root user)
e) files with access mode 2555 (optionally 2755 if owned by root user)
f) files with access mode 4555
Or something like that.
That said, there appears to be some form of cargo-cult programming
around, for example the audit packages carries a lot of non-sensical
access modes, for security theatre reasons. Good luck with getting
that package fixed!
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list