On Thu, Jan 28, 2010 at 09:43:09AM -0600, Serge E. Hallyn wrote: > Quoting Richard Zidlicky (rz@xxxxxxxxxxxxxx): > > On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote: > > > > > > All in all I think it's a shame that the original proposal didn't work > > > > out at this time. Having binaries owned by bin:bin does have Unix (but > > > > not Linux AFAIK) tradition behind it. > > > > > > And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write. > > > > read only fs is not necessarilly a normal fs thats mounted ro. rpm could have > > a hook to do whatever is necessary, it is just one program that needs modified. > > Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and provides > > less protection. > > Oh, right, this is for /bin and /sbin only isn't it - so ro fs could > be good. I was thinking about /etc, which I guess isn't being considered > yet. it was more about the /usr fs. Yes, to have /etc ro it seems many hundreds of packages would need changes. There is a long history of trying to make eg root ro and it is surely used for specialised tasks sometimes. Richard -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
