Bug 556897
| Summary: | [PATCH] Make executables non-writeable even by owner | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Miloslav Trmač <mitr> | ||||||
| Component: | redhat-rpm-config | Assignee: | Panu Matilainen <pmatilai> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | rawhide | CC: | jonathan, kevin, pmatilai, sgrubb | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2010-01-26 15:10:11 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 385466 [details]
Spec file patch
FYI, this feature was withdrawn for consideration for F-13, so please do not apply this patch (at least not without further discussion). |
Created attachment 385465 [details] New __os_install_post step: drop "write" permission bits on executables The attached patch changes the permissions of executables to prevent the owner from writing to them. If a system daemon drops the dac_override capability (e.g. dhclient), this change makes it more difficult for an exploit of the daemon to overwrite the executables with malware - even if the daemon with euid=0.