On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote: > > I trust you meant to write 0555? > > No, I really mean 005 so that root daemons are using public permissions. > Admins of course have DAC_OVERRIDE and can do anything. Try the script in a > VM and tell me if there are any problems you see. I should elaborate more. The issue is that sometimes there are secrets that root admins have access to that should not be available to semi-trusted daemons. For example, any private keys in /root or /etc. You do not want any daemon that could be compromised to have access to these. So, its safest just to set the permissions to 0005 so that they have no access to /root. I expect a few corner cases, but other than /etc/resolve.conf I don't know of any problems. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
