Re: RFC: Remove write permissions from executables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> On Mon, Jan 25, 2010 at 11:54 AM, Till Maas <opensource@xxxxxxxxx> wrote:
> > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> >
> >> Furthermore, when the user is root, the 0555 mode will not prevent
> >> writing as it would for normal users.
> >
> > It does not matter, whether the user is root, but whether he has the
> > dac_override capability. If you read the original mail (1st paragraph)
> > again with this in mind, you will understand the reason for the change.
> 
> Does a lack of the dac_override capability prevent root from chmod'ing
> its own files?

I had the same question too ;-) and did a quick test. The result was, if
you drop all capabilities, you are still allowed to chmod your files.

So the benefit of removing write permissions is questionable to me.
Maybe someone else can bring in some light?

PS: Testing was done via the attached application.
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <cap-ng.h>

int main (void) {
	capng_clear(CAPNG_SELECT_BOTH);
	if (capng_apply(CAPNG_SELECT_BOTH)) {
		fprintf (stderr, "capng_apply\n");
		return 1;
	}

	if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
		fprintf (stderr, "something went wrong, we still have caps\n");
		return 1;
	}

	if (chmod("./blub", S_IRUSR | S_IWUSR)) {
		perror ("chmod");
		return 1;
	}

	return 0;
}

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux