bash 3.1 update

Russell Coker russell at
Thu Jan 5 14:02:27 UTC 2006

On Friday 06 January 2006 00:00, Peter Bieshaar <peter.bieshaar at> 
> IMHO there is normally no reason WHY a binary executable should be
> readable. I checked my laptop (FC4) and saw the permissions indeed 755 for
> bash. A 111 (---x--x--x) is normally enough for a binary.

In the case of programs shipped as part of Fedora every computer user in the 
world can get a copy of them, so there is not anything secret.

There is a significant usability benefit in having the files world readable.  
For example just say you use a Fedora machine and after an upgrade gpg 
crashes (which just happened in rawhide incidentally).  The first thing you 
might suspect is that the gpg binary was corrupt, the solution to this is to 
copy the binary from another machine for test purposes.  The other machine in 
question may be one one which you don't have root access or it may be that 
you don't want to change to the root account for such a trivial operation 
(think shoulder-surfing).

> In very rare 
> cases a suid/sgid should (not) be set (see my grey hair).

I'm not sure what you are saying here.  You may be referencing the idea that 
SUID binaries should be mode 4711 so that users can't read them to search for 
security holes, but the fact that everyone in the world can get access to 
them blows that out of the water.

It may be that you don't want a potentially hostile user to know the version 
of a program that you have installed, but a regular user can run "rpm -qa" to 
get such information and more.

> My strategy is to make it as difficult as much to myself and try to secure
> the system from bottom-up. In other words, I should re-define permissions
> as strict as possible in the rpm. But that is another discussion.

Have you tried the "strict" SE Linux policy?

--   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page

More information about the fedora-devel-list mailing list