On Fri, 03.05.13 14:00, Simon McVittie ([email protected]) wrote:
> On 03/05/13 13:16, Lennart Poettering wrote: > > On Fri, 03.05.13 04:51, Zbigniew Jędrzejewski-Szmek ([email protected]) > > wrote: > >> Hm, one of our tests fails because /usr/lib/systemd/system/auditd.service > >> is -rw-r-----. That's crazy. Do we fight it, or work around it? > > > > I'd say fight it. After all this is just annoying and little else since > > the parsed information is publically accessible anyway on the bus. > > See also Debian Policy, which basically says that files should be 0644 > or 0755 unless there's a good reason, and points out another reason why > there's no point in making packaged non-configuration files unreadable: > > Setuid and setgid executables should be mode 4755 or 2755 > respectively, and owned by the appropriate user or group. They > should not be made unreadable (modes like 4711 or 2711 or even > 4111); doing so achieves no extra security, because anyone can find > the binary in the freely available Debian package; it is merely > inconvenient. For the same reason you should not restrict read or > execute permissions on non-set-id executables. > > ><http://www.debian.org/doc/debian-policy/ch-files.html#s-permissions-owners> Now I wonder if we have any such rule for Fedora... > > I figure we should try to get the fedora packaging guidelines updated to > > say that root:root 664 is the right access mode > > Out of interest, why not 0644? Then members of group root (if there are > any) wouldn't be able to escalate to uid root by altering system > services. Yeah, sounds sensible to suggest 0644 instead. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
