2010/1/22 Miloslav Trmač <mitr@xxxxxxxx>: > We can extend the protection to all executables by a simple addition to > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ). > After applying this patch, executable files in all rebuilt packages > would not be writeable, most often using mode 0555. I don't quite understand what this gets us. What is the practical difference between a root:root 0755 binary and a root:root 0555 one? The owner of a file can grant themselves write permission anyway, so I'm not sure how this stops an attacker. Furthermore, when the user is root, the 0555 mode will not prevent writing as it would for normal users. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
