On 01/22/2010 12:19 PM, Miloslav Trmač wrote: > Hello, > In Fedora 12 several daemons (e.g. dhclient) were modified to drop > unnecessary capabilities, most importantly the "dac_override" > capability, allowing the daemon to ignore file permission bits. This, > in combination with removing some permissions from important system > directories and files (such as /etc/shadow), has restricted the amount > of damage that can be done by exploiting such daemons. > > We can extend the protection to all executables by a simple addition to > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ). > After applying this patch, executable files in all rebuilt packages > would not be writeable, most often using mode 0555. > > I don't expect any problems from this change (it can affect only daemons > that drop capabilities, and executables owned by other users than root); > in the unusual case where making the executeable not writeable did case > some problems, the packager could override the change by explicitly > specifying the required permissions using %attr in the %files section of > the spec file. > > What do you think? Bad idea. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
