[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



Steve Grubb <sgrubb redhat com> writes:
> On Monday 27 July 2009 09:11:33 am Serge E. Hallyn wrote:
>> Using 0005 will mean root also needs CAP_DAC_OVERRIDE to read/execute,
>> which seems a bit much.  Suddenly it needs extra privilege if i just want
>> it to be able to execute /bin/date.  That actually seems less secure in any
>> real system.

> # ls -l /bin/date 
> -rwxr-xr-x 1 root root 69296 2009-03-02 08:57 /bin/date

> The file is 0755 and therefore is executable by anyone. DAC_OVERRIDE is not 
> needed for anything but writing to the file as in "yum update".

Are you deliberately misunderstanding the point?  Whether /bin/date
is executable is moot if I can't search /bin/ to get to it.

This 0005 business is security theater, or maybe even worse than that.
Please just use 0555 and don't try to be cute.

			regards, tom lane


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]