On Thu, Jan 28, 2010 at 09:43:09AM -0600, Serge E. Hallyn wrote:
> Quoting Richard Zidlicky (r...@linux-m68k.org):
> > On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
> >
> > > > All in all I think it's a shame that the original proposal didn't work
> > > > out at this time. Havin
Quoting Richard Zidlicky (r...@linux-m68k.org):
> On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
>
> > > All in all I think it's a shame that the original proposal didn't work
> > > out at this time. Having binaries owned by bin:bin does have Unix (but
> > > not Linux AFAIK) trad
On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
> > All in all I think it's a shame that the original proposal didn't work
> > out at this time. Having binaries owned by bin:bin does have Unix (but
> > not Linux AFAIK) tradition behind it.
>
> And remounting ro doesn't let a task
On Wed, Jan 27, 2010 at 04:10:39PM +0100, Benny Amorsen wrote:
>
> > Mounting the fs read only is much easier and safer - and has long tradition.
>
> This is not feasible as a distribution policy. You can't guarantee that
> /usr/bin is on its own partition so you can mount it read only.
of cour
Quoting Benny Amorsen (benny+use...@amorsen.dk):
> Richard Zidlicky writes:
>
> > Mounting the fs read only is much easier and safer - and has long tradition.
>
> This is not feasible as a distribution policy. You can't guarantee that
> /usr/bin is on its own partition so you can mount it read o
Richard Zidlicky writes:
> Mounting the fs read only is much easier and safer - and has long tradition.
This is not feasible as a distribution policy. You can't guarantee that
/usr/bin is on its own partition so you can mount it read only. The only
way to achieve it would be creative use of moun
On Tue, Jan 26, 2010 at 04:01:58PM +0100, Miloslav Trmač wrote:
> Stefan Schulze Frielinghaus píše v Út 26. 01. 2010 v 11:16 +0100:
> > On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> > > On Mon, Jan 25, 2010 at 11:54 AM, Till Maas wrote:
> > > > On Mon, Jan 25, 2010 at 12:45:26PM -
Quoting Miloslav Trmač (m...@volny.cz):
> Stefan Schulze Frielinghaus píše v Út 26. 01. 2010 v 11:16 +0100:
> > On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> > > On Mon, Jan 25, 2010 at 11:54 AM, Till Maas wrote:
> > > > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
Stefan Schulze Frielinghaus píše v Út 26. 01. 2010 v 11:16 +0100:
> On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> > On Mon, Jan 25, 2010 at 11:54 AM, Till Maas wrote:
> > > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> > >
> > >> Furthermore, when the user is root
On Mon, 2010-01-25 at 14:48 -0600, Garrett Holmstrom wrote:
> On Mon, Jan 25, 2010 at 11:54 AM, Till Maas wrote:
> > On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> >
> >> Furthermore, when the user is root, the 0555 mode will not prevent
> >> writing as it would for normal users.
>
On Mon, Jan 25, 2010 at 11:54 AM, Till Maas wrote:
> On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
>
>> Furthermore, when the user is root, the 0555 mode will not prevent
>> writing as it would for normal users.
>
> It does not matter, whether the user is root, but whether he has th
Till Maas píše v Po 25. 01. 2010 v 18:58 +0100:
> Is there a tracker about what else needs to be done to finish this up?
Good idea, I have filed
https://bugzilla.redhat.com/show_bug.cgi?id=558612 .
(Realistically, this probably won't ever be "finished" because after
handling the low-hanging fruit
On Mon, Jan 25, 2010 at 12:54 PM, Till Maas wrote:
> It does not matter, whether the user is root, but whether he has the
> dac_override capability. If you read the original mail (1st paragraph)
> again with this in mind, you will understand the reason for the change.
Thanks. Sorry for the noise.
On Fri, Jan 22, 2010 at 12:19:49PM +0100, Miloslav Trmač wrote:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be
On Mon, Jan 25, 2010 at 12:45:26PM -0500, Mike McLean wrote:
> Furthermore, when the user is root, the 0555 mode will not prevent
> writing as it would for normal users.
It does not matter, whether the user is root, but whether he has the
dac_override capability. If you read the original mail (1s
2010/1/22 Miloslav Trmač :
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often using mode 0555.
On Friday 22 January 2010, Steve Grubb wrote:
> On Friday 22 January 2010 01:30:11 pm Richard Zidlicky wrote:
> > so one of the next steps might also be to allow some filesystems to be
> > read-only? Can be done manually of course but most of the time I am too
> > lazy to do that.
>
> That make
On Friday 22 January 2010 09:54:35 pm Garrett Holmstrom wrote:
> > I don't expect any problems from this change (it can affect only daemons
> > that drop capabilities, and executables owned by other users than root);
> > in the unusual case where making the executeable not writeable did case
> > so
2010/1/22 Miloslav Trmač :
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some permissions from impo
On Friday 22 January 2010 01:30:11 pm Richard Zidlicky wrote:
> > We would want to change the owner write permission bit for all
> > executables. In F-12 we took care of the major directories, this is
> > phase 2 of the same project where we take a bigger step. Phase 1 was
> > proving that the mis
On Fri, Jan 22, 2010 at 01:15:02PM -0500, Steve Grubb wrote:
> On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> > i.e. it seems to me like it's worth going through the Feature process
> > (either as a Feature or an Enhancement), if only to capture the standard
> > concerns there and cre
On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> i.e. it seems to me like it's worth going through the Feature process
> (either as a Feature or an Enhancement), if only to capture the standard
> concerns there and create a URL describing the change; see:
> https://fedoraproject.org/wik
On Fri, 2010-01-22 at 12:19 +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with remov
Once upon a time, Miloslav TrmaÄ? said:
> Chris Adams pÃÅ¡e v Pá 22. 01. 2010 v 08:06 -0600:
> > Once upon a time, Miloslav TrmaÃ? said:
> > > We can extend the protection to all executables by a simple addition to
> > > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
Chris Adams píše v Pá 22. 01. 2010 v 08:06 -0600:
> Once upon a time, Miloslav TrmaÄ? said:
> > We can extend the protection to all executables by a simple addition to
> > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > After applying this patch, executable files in a
Once upon a time, Miloslav TrmaÄ? said:
> We can extend the protection to all executables by a simple addition to
> redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> After applying this patch, executable files in all rebuilt packages
> would not be writeable, most often us
On Fri, Jan 22, 2010 at 12:19:49PM +0100, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination wit
Ralf Corsepius píše v Pá 22. 01. 2010 v 12:36 +0100:
> On 01/22/2010 12:19 PM, Miloslav Trmač wrote:
> > We can extend the protection to all executables by a simple addition to
> > redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ).
> > After applying this patch, executable fi
On 01/22/2010 12:19 PM, Miloslav Trmač wrote:
> Hello,
> In Fedora 12 several daemons (e.g. dhclient) were modified to drop
> unnecessary capabilities, most importantly the "dac_override"
> capability, allowing the daemon to ignore file permission bits. This,
> in combination with removing some pe
Hello,
In Fedora 12 several daemons (e.g. dhclient) were modified to drop
unnecessary capabilities, most importantly the "dac_override"
capability, allowing the daemon to ignore file permission bits. This,
in combination with removing some permissions from important system
directories and files (s
30 matches
Mail list logo
