Quoting Richard Zidlicky (rz@xxxxxxxxxxxxxx): > On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote: > > > > All in all I think it's a shame that the original proposal didn't work > > > out at this time. Having binaries owned by bin:bin does have Unix (but > > > not Linux AFAIK) tradition behind it. > > > > And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write. > > read only fs is not necessarilly a normal fs thats mounted ro. rpm could have > a hook to do whatever is necessary, it is just one program that needs modified. > Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides > less protection. Oh, right, this is for /bin and /sbin only isn't it - so ro fs could be good. I was thinking about /etc, which I guess isn't being considered yet. -serge -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
