immutable bit
Deron Meranda
deron.meranda at gmail.com
Tue Nov 29 16:03:44 UTC 2005
On 11/29/05, James Wilkinson <fedora at westexe.demon.co.uk> wrote:
> preeti malakar wrote:
> > Why is the immutable bit of all system binaries viz files in /sbin, /bin, /usr
> > not set, so that none can change or delete them?
>
> As Paul said, that would stop yum and rpm from upgrading those programs
> (say if the immutable binary has a security bug).
Also that would cause the prelink cronjob to fail...since it does
intentionally modify files.
There's nothing of course to keep you from setting the immutable
bit. And if you're building a super hardened system perhaps you
should. It's just an extra layer beyond POSIX file permissions,
mount options (mounting /usr read-only) and perhaps SELinux.
But you must be prepared for things like rpm/yum or prelink to fail.
But I don't think this should be the default since it would confuse
the heck out of most administrators, and scripts as well.
--
Deron Meranda
More information about the fedora-list
mailing list