Quoting Steve Grubb (sgrubb@xxxxxxxxxx): > On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote: > > > I trust you meant to write 0555? > > > > No, I really mean 005 so that root daemons are using public permissions. > > Admins of course have DAC_OVERRIDE and can do anything. Try the script in a > > VM and tell me if there are any problems you see. > > I should elaborate more. The issue is that sometimes there are secrets that > root admins have access to that should not be available to semi-trusted > daemons. For example, any private keys in /root or /etc. You do not want any > daemon that could be compromised to have access to these. So, its safest just > to set the permissions to 0005 so that they have no access to /root. But 0555 will also prevent root without CAP_DAC_OVERRIDE from writing, no? Using 0005 will mean root also needs CAP_DAC_OVERRIDE to read/execute, which seems a bit much. Suddenly it needs extra privilege if i just want it to be able to execute /bin/date. That actually seems less secure in any real system. > I expect a few corner cases, but other than /etc/resolve.conf I don't know of > any problems. > > -Steve > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-devel-list -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
