On Fri, Jan 22, 2010 at 12:19:49PM +0100, Miloslav Trmač wrote: > Hello, > In Fedora 12 several daemons (e.g. dhclient) were modified to drop > unnecessary capabilities, most importantly the "dac_override" > capability, allowing the daemon to ignore file permission bits. This, > in combination with removing some permissions from important system > directories and files (such as /etc/shadow), has restricted the amount > of damage that can be done by exploiting such daemons. > > We can extend the protection to all executables by a simple addition to > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ). > After applying this patch, executable files in all rebuilt packages > would not be writeable, most often using mode 0555. Is it possible we could remove unreadable binaries with the same change? See: http://www.redhat.com/archives/rhl-devel-list/2009-October/thread.html#00987 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel