Re: bash 3.1 update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



agree to all above,
 
if I create a package (normally under Solaris, sorry I'm a Solaris person and spying on you :) ) I make the permissions as strict as possible.
 
IMHO there is normally no reason WHY a binary executable should be readable. I checked my laptop (FC4) and saw the permissions indeed 755 for bash. A 111 (---x--x--x) is normally enough for a binary. In very rare cases a suid/sgid should (not) be set (see my grey hair).The kernel will still read it though magic and kernel drivers. Script permissions is another story off-course.
 
My strategy is to make it as difficult as much to myself and try to secure the system from bottom-up. In other words, I should re-define permissions as strict as possible in the rpm. But that is another discussion.
 
This might be a point for FC6??
 
 
2006/1/5, Russell Coker <russell@xxxxxxxxxxxx>:
On Wednesday 04 January 2006 07:16, darrell pfeifer <darrellpf@xxxxxxxxx >
wrote:
> I have very current rawhide system. This morning I updated bash,
> selinux, coreutils, binutils, glibc....

libsetrans-0.1.13-1 is broken in regard to rpm, which could potentially cause
cascading failures.  Best to upgrade or downgrade that package.  Not sure if
it's related to your problem though.

> I used a set of FC4 disks to boot into rescue mode. Bash had only read
> permission for group/other. Changing bash to rw for everyone got me a
> runnable system again.

You certainly don't want rw for everyone!  Bash should be mode 0755 or
similar, r-x for everyone.

--
http://www.coker.com.au/selinux/    My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/     Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
Peter Bieshaar
NL(0)6 29577255
-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux