From: Ned Ludd <solar@gentoo.org>
To: gentoo-dev@gentoo.org
Subject: Re: [gentoo-dev] Towards less insecure permissions on gentoo
Date: 05 Jun 2003 18:54:31 -0400 [thread overview]
Message-ID: <1054853670.20032.513.camel@simple> (raw)
In-Reply-To: <20030605105028.O14500@leftmind.net>
You are correct 04511(-r-s--x--x) would be prefered over
04711(-rws--x--x) or even 04111(---s--x--x) for binary executable
formats.
As for terminfo and the like I've never tested removing the owner
writeable bit. After doing a little scouring around it seems that it
would be easy to test/try it out. In ebuild.sh we find
( export INSOPTIONS="-m0644" ) on or around line 187. I'm unsure at the
moment if this can be overriden in the /etc/make.conf (It should be)
or what side affects it would have on upgrading.
On Thu, 2003-06-05 at 10:50, Anthony de Boer wrote:
> Ned Ludd wrote:
> > If you currently are a maintainer of a port that installs files 4755(I
> > hope you all know who you are) please try to get your port to install
> > 4711 or with even less privs. However if your program is a setid
> > executable script then you should leave the permissions alone.
>
> 4511, perhaps?
>
> When something is installed by a packaging system, and will be stomped at
> the next upgrade without consideration for local mods, I prefer to install
> with all writable bits off. This is more of a concern for those
> oh-so-easily-tweakable scripts than for binaries, and at least encourages
> the superuser to stop and think before making a change, but especially in
> the suid case the more protection the better.
>
> Likewise for installed nonexecutables (terminfo and the like), 444 rather
> than 644.
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux (Hardened)
--
gentoo-dev@gentoo.org mailing list
prev parent reply other threads:[~2003-06-05 22:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-03 20:10 [gentoo-dev] Towards less insecure permissions on gentoo Ned Ludd
2003-06-05 14:50 ` Anthony de Boer
2003-06-05 22:54 ` Ned Ludd [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1054853670.20032.513.camel@simple \
--to=solar@gentoo.org \
--cc=gentoo-dev@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox