From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3509 invoked by uid 1002); 5 Jun 2003 22:54:33 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 14181 invoked from network); 5 Jun 2003 22:54:33 -0000 From: Ned Ludd Reply-To: solar@gentoo.org To: gentoo-dev@gentoo.org In-Reply-To: <20030605105028.O14500@leftmind.net> References: <1054671011.20032.320.camel@simple> <20030605105028.O14500@leftmind.net> Content-Type: text/plain Organization: Gentoo Linux (Hardened) Message-Id: <1054853670.20032.513.camel@simple> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2- Date: 05 Jun 2003 18:54:31 -0400 Content-Transfer-Encoding: 7bit Subject: Re: [gentoo-dev] Towards less insecure permissions on gentoo X-Archives-Salt: e7801a85-623f-40bd-a737-b546a03a520e X-Archives-Hash: 451b58a2728cd4d67c55827ab4192fc7 You are correct 04511(-r-s--x--x) would be prefered over 04711(-rws--x--x) or even 04111(---s--x--x) for binary executable formats. As for terminfo and the like I've never tested removing the owner writeable bit. After doing a little scouring around it seems that it would be easy to test/try it out. In ebuild.sh we find ( export INSOPTIONS="-m0644" ) on or around line 187. I'm unsure at the moment if this can be overriden in the /etc/make.conf (It should be) or what side affects it would have on upgrading. On Thu, 2003-06-05 at 10:50, Anthony de Boer wrote: > Ned Ludd wrote: > > If you currently are a maintainer of a port that installs files 4755(I > > hope you all know who you are) please try to get your port to install > > 4711 or with even less privs. However if your program is a setid > > executable script then you should leave the permissions alone. > > 4511, perhaps? > > When something is installed by a packaging system, and will be stomped at > the next upgrade without consideration for local mods, I prefer to install > with all writable bits off. This is more of a concern for those > oh-so-easily-tweakable scripts than for binaries, and at least encourages > the superuser to stop and think before making a change, but especially in > the suid case the more protection the better. > > Likewise for installed nonexecutables (terminfo and the like), 444 rather > than 644. -- Ned Ludd Gentoo Linux (Hardened) -- gentoo-dev@gentoo.org mailing list