Bug 556897
Summary: | [PATCH] Make executables non-writeable even by owner | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Miloslav Trmač <mitr> | ||||||
Component: | redhat-rpm-config | Assignee: | Panu Matilainen <pmatilai> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | rawhide | CC: | jonathan, kevin, pmatilai, sgrubb | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-01-26 15:10:11 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 385466 [details]
Spec file patch
FYI, this feature was withdrawn for consideration for F-13, so please do not apply this patch (at least not without further discussion). |
Created attachment 385465 [details] New __os_install_post step: drop "write" permission bits on executables The attached patch changes the permissions of executables to prevent the owner from writing to them. If a system daemon drops the dac_override capability (e.g. dhclient), this change makes it more difficult for an exploit of the daemon to overwrite the executables with malware - even if the daemon with euid=0.