[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bash 3.1 update



On Friday 06 January 2006 00:00, Peter Bieshaar <peter bieshaar gmail com> 
wrote:
> IMHO there is normally no reason WHY a binary executable should be
> readable. I checked my laptop (FC4) and saw the permissions indeed 755 for
> bash. A 111 (---x--x--x) is normally enough for a binary.

In the case of programs shipped as part of Fedora every computer user in the 
world can get a copy of them, so there is not anything secret.

There is a significant usability benefit in having the files world readable.  
For example just say you use a Fedora machine and after an upgrade gpg 
crashes (which just happened in rawhide incidentally).  The first thing you 
might suspect is that the gpg binary was corrupt, the solution to this is to 
copy the binary from another machine for test purposes.  The other machine in 
question may be one one which you don't have root access or it may be that 
you don't want to change to the root account for such a trivial operation 
(think shoulder-surfing).

> In very rare 
> cases a suid/sgid should (not) be set (see my grey hair).

I'm not sure what you are saying here.  You may be referencing the idea that 
SUID binaries should be mode 4711 so that users can't read them to search for 
security holes, but the fact that everyone in the world can get access to 
them blows that out of the water.

It may be that you don't want a potentially hostile user to know the version 
of a program that you have installed, but a regular user can run "rpm -qa" to 
get such information and more.

> My strategy is to make it as difficult as much to myself and try to secure
> the system from bottom-up. In other words, I should re-define permissions
> as strict as possible in the rpm. But that is another discussion.

Have you tried the "strict" SE Linux policy?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]