[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bash 3.1 update

agree to all above,
if I create a package (normally under Solaris, sorry I'm a Solaris person and spying on you :) ) I make the permissions as strict as possible.
IMHO there is normally no reason WHY a binary executable should be readable. I checked my laptop (FC4) and saw the permissions indeed 755 for bash. A 111 (---x--x--x) is normally enough for a binary. In very rare cases a suid/sgid should (not) be set (see my grey hair).The kernel will still read it though magic and kernel drivers. Script permissions is another story off-course.
My strategy is to make it as difficult as much to myself and try to secure the system from bottom-up. In other words, I should re-define permissions as strict as possible in the rpm. But that is another discussion.
This might be a point for FC6??
2006/1/5, Russell Coker <russell coker com au>:
On Wednesday 04 January 2006 07:16, darrell pfeifer <darrellpf gmail com >
> I have very current rawhide system. This morning I updated bash,
> selinux, coreutils, binutils, glibc....

libsetrans-0.1.13-1 is broken in regard to rpm, which could potentially cause
cascading failures.  Best to upgrade or downgrade that package.  Not sure if
it's related to your problem though.

> I used a set of FC4 disks to boot into rescue mode. Bash had only read
> permission for group/other. Changing bash to rw for everyone got me a
> runnable system again.

You certainly don't want rw for everyone!  Bash should be mode 0755 or
similar, r-x for everyone.

http://www.coker.com.au/selinux/    My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/     Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

fedora-devel-list mailing list
fedora-devel-list redhat com

Peter Bieshaar
NL(0)6 29577255
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]