bash 3.1 update
Russell Coker
russell at coker.com.au
Thu Jan 5 14:02:27 UTC 2006
On Friday 06 January 2006 00:00, Peter Bieshaar <peter.bieshaar at gmail.com>
wrote:
> IMHO there is normally no reason WHY a binary executable should be
> readable. I checked my laptop (FC4) and saw the permissions indeed 755 for
> bash. A 111 (---x--x--x) is normally enough for a binary.
In the case of programs shipped as part of Fedora every computer user in the
world can get a copy of them, so there is not anything secret.
There is a significant usability benefit in having the files world readable.
For example just say you use a Fedora machine and after an upgrade gpg
crashes (which just happened in rawhide incidentally). The first thing you
might suspect is that the gpg binary was corrupt, the solution to this is to
copy the binary from another machine for test purposes. The other machine in
question may be one one which you don't have root access or it may be that
you don't want to change to the root account for such a trivial operation
(think shoulder-surfing).
> In very rare
> cases a suid/sgid should (not) be set (see my grey hair).
I'm not sure what you are saying here. You may be referencing the idea that
SUID binaries should be mode 4711 so that users can't read them to search for
security holes, but the fact that everyone in the world can get access to
them blows that out of the water.
It may be that you don't want a potentially hostile user to know the version
of a program that you have installed, but a regular user can run "rpm -qa" to
get such information and more.
> My strategy is to make it as difficult as much to myself and try to secure
> the system from bottom-up. In other words, I should re-define permissions
> as strict as possible in the rpm. But that is another discussion.
Have you tried the "strict" SE Linux policy?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list