From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27096 invoked by uid 1002); 5 Jun 2003 14:50:29 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 17774 invoked from network); 5 Jun 2003 14:50:29 -0000 Date: Thu, 5 Jun 2003 10:50:28 -0400 From: Anthony de Boer To: gentoo-dev@gentoo.org Message-ID: <20030605105028.O14500@leftmind.net> References: <1054671011.20032.320.camel@simple> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1054671011.20032.320.camel@simple>; from solar@gentoo.org on Tue, Jun 03, 2003 at 04:10:12PM -0400 Subject: Re: [gentoo-dev] Towards less insecure permissions on gentoo X-Archives-Salt: e472d52d-6c58-432b-aca9-c4a6fb983212 X-Archives-Hash: 4e29b814e77c8cf44c94b79d4f9d7139 Ned Ludd wrote: > If you currently are a maintainer of a port that installs files 4755(I > hope you all know who you are) please try to get your port to install > 4711 or with even less privs. However if your program is a setid > executable script then you should leave the permissions alone. 4511, perhaps? When something is installed by a packaging system, and will be stomped at the next upgrade without consideration for local mods, I prefer to install with all writable bits off. This is more of a concern for those oh-so-easily-tweakable scripts than for binaries, and at least encourages the superuser to stop and think before making a change, but especially in the suid case the more protection the better. Likewise for installed nonexecutables (terminfo and the like), 444 rather than 644. -- Anthony de Boer -- gentoo-dev@gentoo.org mailing list