From: Zbigniew Jędrzejewski-Szmek on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2819 NOTE: Truncated patchset due to missing public @redhat.com email address on your GitLab profile at https://gitlab.com/-/profile. Once that is fixed, close and reopen the merge request to retrigger sending the emails. Mode 0600 was introduced in [1], with the justification that "You can just chmod 644 them later if you (unlikely) need them without root.". The time where a different mode is needed has come ;) I'm building initrd images as part of the mkosi project [2], and in general mkosi is designed to be executed unprivileged, and currently this fails when copying in the kernel module files, because System.map is not readable. Mode 0600 is not useful for files that are packaged, anyone can trivially get the file from the web, or even from the dnf cache, etc. The packaging guidelines [3] say: "Inside of /usr [...] [files] MUST be universally readable." A similar case came up recently with polkit rules [4]. Apparently RH security folks found the change acceptable. Also, at least on Debian System.map is 0644. [1] https://src.fedoraproject.org/rpms/kernel/c/d287769cc9dbdad68eb0123b149e8c 8edae4632f [2] https://github.com/systemd/mkosi/pull/2040 [3] https://docs.fedoraproject.org/en-US/packaging- guidelines/#_file_permissions [4] https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/153 --- redhat/kernel.spec.template | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
