agree to all above,
if I create a package (normally under Solaris, sorry I'm a Solaris person and spying on you :) ) I make the permissions as strict as possible.
IMHO there is normally no reason WHY a binary executable should be readable. I checked my laptop (FC4) and saw the permissions indeed 755 for bash. A 111 (---x--x--x) is normally enough for a binary. In very rare cases a suid/sgid should (not) be set (see my grey hair).The kernel will still read it though magic and kernel drivers. Script permissions is another story off-course.
My strategy is to make it as difficult as much to myself and try to secure the system from bottom-up. In other words, I should re-define permissions as strict as possible in the rpm. But that is another discussion.
This might be a point for FC6??
2006/1/5, Russell Coker <russell@xxxxxxxxxxxx>:
On Wednesday 04 January 2006 07:16, darrell pfeifer <darrellpf@xxxxxxxxx >
wrote:
> I have very current rawhide system. This morning I updated bash,
> selinux, coreutils, binutils, glibc....
libsetrans-0.1.13-1 is broken in regard to rpm, which could potentially cause
cascading failures. Best to upgrade or downgrade that package. Not sure if
it's related to your problem though.
> I used a set of FC4 disks to boot into rescue mode. Bash had only read
> permission for group/other. Changing bash to rw for everyone got me a
> runnable system again.
You certainly don't want rw for everyone! Bash should be mode 0755 or
similar, r-x for everyone.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
--
Peter Bieshaar
NL(0)6 29577255
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list