Red Hat Bugzilla – Bug 556897
[PATCH] Make executables non-writeable even by owner
Last modified: 2010-01-26 10:10:11 EST
Created attachment 385465 [details]
New __os_install_post step: drop "write" permission bits on executables
The attached patch changes the permissions of executables to prevent the owner from writing to them. If a system daemon drops the dac_override capability (e.g. dhclient), this change makes it more difficult for an exploit of the daemon to overwrite the executables with malware - even if the daemon with euid=0.
Created attachment 385466 [details]
Spec file patch
FYI, this feature was withdrawn for consideration for F-13, so please do not apply this patch (at least not without further discussion).