Lower Process Capabilities
Tom Lane
tgl at redhat.com
Mon Jul 27 14:45:20 UTC 2009
Steve Grubb <sgrubb at redhat.com> writes:
> On Monday 27 July 2009 09:11:33 am Serge E. Hallyn wrote:
>> Using 0005 will mean root also needs CAP_DAC_OVERRIDE to read/execute,
>> which seems a bit much. Suddenly it needs extra privilege if i just want
>> it to be able to execute /bin/date. That actually seems less secure in any
>> real system.
> # ls -l /bin/date
> -rwxr-xr-x 1 root root 69296 2009-03-02 08:57 /bin/date
> The file is 0755 and therefore is executable by anyone. DAC_OVERRIDE is not
> needed for anything but writing to the file as in "yum update".
Are you deliberately misunderstanding the point? Whether /bin/date
is executable is moot if I can't search /bin/ to get to it.
This 0005 business is security theater, or maybe even worse than that.
Please just use 0555 and don't try to be cute.
regards, tom lane
More information about the fedora-devel-list
mailing list