On Fri, May 03, 2013 at 05:05:51PM +0200, Lennart Poettering wrote: > On Fri, 03.05.13 14:00, Simon McVittie ([email protected]) wrote: > > > On 03/05/13 13:16, Lennart Poettering wrote: > > > On Fri, 03.05.13 04:51, Zbigniew Jędrzejewski-Szmek ([email protected]) > > > wrote: > > >> Hm, one of our tests fails because /usr/lib/systemd/system/auditd.service > > >> is -rw-r-----. That's crazy. Do we fight it, or work around it? > > > > > > I'd say fight it. After all this is just annoying and little else since > > > the parsed information is publically accessible anyway on the bus. https://bugzilla.redhat.com/show_bug.cgi?id=959483
> > See also Debian Policy, which basically says that files should be 0644 > > or 0755 unless there's a good reason, and points out another reason why > > there's no point in making packaged non-configuration files unreadable: > > > > Setuid and setgid executables should be mode 4755 or 2755 > > respectively, and owned by the appropriate user or group. They > > should not be made unreadable (modes like 4711 or 2711 or even > > 4111); doing so achieves no extra security, because anyone can find > > the binary in the freely available Debian package; it is merely > > inconvenient. For the same reason you should not restrict read or > > execute permissions on non-set-id executables. > > > > > ><http://www.debian.org/doc/debian-policy/ch-files.html#s-permissions-owners> > > Now I wonder if we have any such rule for Fedora... I couldn't find anything in the Packaging Guidelines. Could you add such an explicit recommendation to http://fedoraproject.org/wiki/Packaging:Systemd? Zbyszek > > > I figure we should try to get the fedora packaging guidelines updated to > > > say that root:root 664 is the right access mode > > > > Out of interest, why not 0644? Then members of group root (if there are > > any) wouldn't be able to escalate to uid root by altering system > > services. > > Yeah, sounds sensible to suggest 0644 instead. > > Lennart _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
