Re: RFC: Remove write permissions from executables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Benny Amorsen (benny+usenet@xxxxxxxxxx):
> Richard Zidlicky <rz@xxxxxxxxxxxxxx> writes:
> 
> > Mounting the fs read only is much easier and safer - and has long tradition.
> 
> This is not feasible as a distribution policy. You can't guarantee that
> /usr/bin is on its own partition so you can mount it read only. The only
> way to achieve it would be creative use of mount --bind, something which
> certainly goes against tradition.
> 
> Also, the advantage of the proposed change was that it would not affect
> e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the
> same result, but not in a way which I consider sane.
> 
> All in all I think it's a shame that the original proposal didn't work
> out at this time. Having binaries owned by bin:bin does have Unix (but
> not Linux AFAIK) tradition behind it.

And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.

-serge
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux