bash 3.1 update
Peter Bieshaar
peter.bieshaar at gmail.com
Thu Jan 5 13:00:09 UTC 2006
agree to all above,
if I create a package (normally under Solaris, sorry I'm a Solaris person
and spying on you :) ) I make the permissions as strict as possible.
IMHO there is normally no reason WHY a binary executable should be readable.
I checked my laptop (FC4) and saw the permissions indeed 755 for bash. A 111
(---x--x--x) is normally enough for a binary. In very rare cases a suid/sgid
should (not) be set (see my grey hair).The kernel will still read it
though magic and kernel drivers. Script permissions is another story
off-course.
My strategy is to make it as difficult as much to myself and try to secure
the system from bottom-up. In other words, I should re-define permissions as
strict as possible in the rpm. But that is another discussion.
This might be a point for FC6??
2006/1/5, Russell Coker <russell at coker.com.au>:
>
> On Wednesday 04 January 2006 07:16, darrell pfeifer <darrellpf at gmail.com>
> wrote:
> > I have very current rawhide system. This morning I updated bash,
> > selinux, coreutils, binutils, glibc....
>
> libsetrans-0.1.13-1 is broken in regard to rpm, which could potentially
> cause
> cascading failures. Best to upgrade or downgrade that package. Not sure
> if
> it's related to your problem though.
>
> > I used a set of FC4 disks to boot into rescue mode. Bash had only read
> > permission for group/other. Changing bash to rw for everyone got me a
> > runnable system again.
>
> You certainly don't want rw for everyone! Bash should be mode 0755 or
> similar, r-x for everyone.
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
--
Peter Bieshaar
NL(0)6 29577255
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060105/d204798a/attachment.htm>
More information about the fedora-devel-list
mailing list