Re: bash 3.1 update

[Peter Bieshaar <peter bieshaar gmail com>]

agree to all above,

 

if I create a package (normally under Solaris, sorry I'm a Solaris person and spying on you :) ) I make the permissions as strict as possible.

 

IMHO there is normally no reason WHY a binary executable should be readable. I checked my laptop (FC4) and saw the permissions indeed 755 for bash. A 111 (---x--x--x) is normally enough for a binary. In very rare cases a suid/sgid should (not) be set (see my grey hair).The kernel will still read it though magic and kernel drivers. Script permissions is another story off-course.

 

My strategy is to make it as difficult as much to myself and try to secure the system from bottom-up. In other words, I should re-define permissions as strict as possible in the rpm. But that is another discussion.

 

This might be a point for FC6??

 

 

2006/1/5, Russell Coker <russell coker com au>:

On Wednesday 04 January 2006 07:16, darrell pfeifer <darrellpf gmail com >
wrote:
> I have very current rawhide system. This morning I updated bash,
> selinux, coreutils, binutils, glibc....

libsetrans-0.1.13-1 is broken in regard to rpm, which could potentially cause
cascading failures.  Best to upgrade or downgrade that package.  Not sure if
it's related to your problem though.

> I used a set of FC4 disks to boot into rescue mode. Bash had only read
> permission for group/other. Changing bash to rw for everyone got me a
> runnable system again.

You certainly don't want rw for everyone!  Bash should be mode 0755 or
similar, r-x for everyone.

--
http://www.coker.com.au/selinux/    My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/     Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
fedora-devel-list mailing list
fedora-devel-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

-- 
Peter Bieshaar
NL(0)6 29577255