Steve Grubb <sgrubb@xxxxxxxxxx> writes: > On Monday 27 July 2009 09:11:33 am Serge E. Hallyn wrote: >> Using 0005 will mean root also needs CAP_DAC_OVERRIDE to read/execute, >> which seems a bit much. Suddenly it needs extra privilege if i just want >> it to be able to execute /bin/date. That actually seems less secure in any >> real system. > # ls -l /bin/date > -rwxr-xr-x 1 root root 69296 2009-03-02 08:57 /bin/date > The file is 0755 and therefore is executable by anyone. DAC_OVERRIDE is not > needed for anything but writing to the file as in "yum update". Are you deliberately misunderstanding the point? Whether /bin/date is executable is moot if I can't search /bin/ to get to it. This 0005 business is security theater, or maybe even worse than that. Please just use 0555 and don't try to be cute. regards, tom lane -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
