On Fri, Oct 31, 2014 at 01:59:30PM -0400, Miloslav Trmač wrote: > ----- Original Message ----- > > I filed an FPC ticket: https://fedorahosted.org/fpc/ticket/467 > > > > Thoughts? > My intuition is that if an application needs _everything_ in /usr to > be readable then it is likely broken. Something being placed in > /usr does _not_ imply that it is supposed to be used by everyone. That may be your intuition, but it's not a reason. There are programs which have long needed to read all - or many - files from /usr (supermin being one, since around 2009). > An administrator can come and change the permissions at any time, Or they could delete RPM-managed files at random. If that breaks things, then that's a problem for the administrator. > and the packaging guideline would not affect anything not included > in Fedora-distributed RPMs. supermin only looks at a subset of files, and only ones in (a subset of) Fedora-distributed RPMs. > And if we look only at the cases that > would be helped by the proposed guideline, i.e. only depending on > Fedora RPM-distributed files (but not being particular about what > the purpose of kind of file this is), the application would probably > be better off just opening and reading the RPMs from repos directly > instead of reusing whatever local damage could have been done to the > partition. This is really slow, and requires network access. supermin can build an appliance from /usr in a few seconds, without needing network access. [...] > (And to the specific examples brought up: No opinion on systemd > services; making setuid binaries not world-readable has a _definite_ > benefit when prelink is set up, OTOH that is no longer a default.) Prelink should never have been modifying files in /usr in the first place. Thankfully as you say it's no longer the default. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
