On Friday 06 January 2006 00:00, Peter Bieshaar <peter.bieshaar@xxxxxxxxx> wrote: > IMHO there is normally no reason WHY a binary executable should be > readable. I checked my laptop (FC4) and saw the permissions indeed 755 for > bash. A 111 (---x--x--x) is normally enough for a binary. In the case of programs shipped as part of Fedora every computer user in the world can get a copy of them, so there is not anything secret. There is a significant usability benefit in having the files world readable. For example just say you use a Fedora machine and after an upgrade gpg crashes (which just happened in rawhide incidentally). The first thing you might suspect is that the gpg binary was corrupt, the solution to this is to copy the binary from another machine for test purposes. The other machine in question may be one one which you don't have root access or it may be that you don't want to change to the root account for such a trivial operation (think shoulder-surfing). > In very rare > cases a suid/sgid should (not) be set (see my grey hair). I'm not sure what you are saying here. You may be referencing the idea that SUID binaries should be mode 4711 so that users can't read them to search for security holes, but the fact that everyone in the world can get access to them blows that out of the water. It may be that you don't want a potentially hostile user to know the version of a program that you have installed, but a regular user can run "rpm -qa" to get such information and more. > My strategy is to make it as difficult as much to myself and try to secure > the system from bottom-up. In other words, I should re-define permissions > as strict as possible in the rpm. But that is another discussion. Have you tried the "strict" SE Linux policy? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
