Requiring all files in /usr to be world-readable?

Chris Adams linux at cmadams.net
Mon Nov 3 14:49:23 UTC 2014


Once upon a time, Miloslav Trma─Ź <mitr at redhat.com> said:
> What is the use case for such a blanket requirement?  fpc/467 lists the virt thing I so far disagree with, and other uses cases in there actually need much less than all of /usr.

Some packagers think they are being "clever" sometimes by making
RPM-installed binaries non-world-readable.  A (fixed) example I ran into
a few years ago was the BIND packager; they reasoned that only root
should "touch" BIND, so made /usr/sbin/rndc private.  However, BIND is
specifically set up to allow secure non-root control (key files), and
this just made it where I had to download the RPM and unpack the rndc
binary somewhere else.

There is nothing gained by making RPM-provided files that are not
locally configured not world-readable, with the possible exception of
something that uses file locks on non-config files (which would be weird
and I don't know of anything that does that).

> Secondarily: The rationale that the executables of suid files are public and thus it is useless to make them non-readable is false for 1) any non-distribution packages

Non-distribution packages, locally installed binaries, etc. are not
covered by any Fedora policies, so please stop bringing up that red
herring.

Security-by-obscurity also doesn't help setuid binaries in the normal
install paths (e.g. /usr/bin), because an attack could easily just
switch over to metadata (file size, timestamps, etc.).

-- 
Chris Adams <linux at cmadams.net>


More information about the devel mailing list