Re: RFC: Remove write permissions from executables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 27, 2010 at 04:10:39PM +0100, Benny Amorsen wrote:
> 
> > Mounting the fs read only is much easier and safer - and has long tradition.
> 
> This is not feasible as a distribution policy. You can't guarantee that
> /usr/bin is on its own partition so you can mount it read only. 

of course it is not guaranteed. But it is not difficult to detect and I think 
plenty of sysadmins are doing it that way. Used to have many more advantages
than just a marginal gain in security.

Fedora certainly can not mandate this as a policy it would be nice if it would 
work with this common setup.

> Also, the advantage of the proposed change was that it would not affect
> e.g. yum upgrade. Creative use of mount --bind could perhaps achieve the
> same result, but not in a way which I consider sane.

that would be indeed insane. But as has been mentioned rpm could have a hook
to do some actions before and after modifying anything.

> All in all I think it's a shame that the original proposal didn't work
> out at this time. Having binaries owned by bin:bin does have Unix (but
> not Linux AFAIK) tradition behind it.

now that you mention bin:bin, I remember the old days.

Richard
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux