Bug 556897

Summary: [PATCH] Make executables non-writeable even by owner
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: redhat-rpm-configAssignee: Panu Matilainen <pmatilai>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jonathan, kevin, pmatilai, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-26 10:10:11 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
New __os_install_post step: drop "write" permission bits on executables
Spec file patch none

Description Miloslav Trmač 2010-01-19 14:01:44 EST
Created attachment 385465 [details]
New __os_install_post step: drop "write" permission bits on executables

The attached patch changes the permissions of executables to prevent the owner from writing to them.  If a system daemon drops the dac_override capability (e.g. dhclient), this change makes it more difficult for an exploit of the daemon to overwrite the executables with malware - even if the daemon with euid=0.
Comment 1 Miloslav Trmač 2010-01-19 14:02:08 EST
Created attachment 385466 [details]
Spec file patch
Comment 2 Kevin Kofler 2010-01-26 10:10:11 EST
FYI, this feature was withdrawn for consideration for F-13, so please do not apply this patch (at least not without further discussion).