Overview
Request 881493 accepted
- also fix /var/lib/empty to be readonly
- make bindir/ _lib and _libdir readonly (mode 0555) to avoid
runpath-to-writeable-directory warning
- Created by dirkmueller
- In state accepted
- 5 package maintainers
Loading...
Request History
dirkmueller created request
- also fix /var/lib/empty to be readonly
- make bindir/ _lib and _libdir readonly (mode 0555) to avoid
runpath-to-writeable-directory warning
lnussel accepted request
where does this come from? Changing everything to 555 instead of 755 is certainly something we need to do but then really everything, not just /bin, /lib etc.
Also kind of obsolete to only take care of those dirs as we proceed with usrmerge
I am changing both /bin as well as /usr/bin. so it is ready for UsrMerge.
I'm open to change more (like /usr/include etc) to 555, but does that prevent this change from being merged and tested in openqa?
The idea here is that compile-from-source does not accidentally install stuff into /usr. /usr/local remains 755.
Also, it prevents RUNPATH/RPATH writeable-directly warnings for services running as root.
"The idea here is that compile-from-source does not accidentally install stuff into /usr. /usr/local remains 755. "
Neither cp nor install care about 555 or 755 if you install something as root, so they still would install into /usr.
So I fail to see the sense or benefit of this change: the directory are owned by root:root, so 755 or 555 doesn't make any difference and especially will not prevent some tools from installing in /usr instead of /usr/local. This change does not even fall into the "security by obscurity" theme.
The change does make sense for a root user without CAP_DAC_OVERRIDE. Most likely not an interactive root but could be used eg in daemons. So I would actually go for it longer term. Not just for those dirs but for the whole /usr tree. Not sure there is much benefit of doing it only half but we could it step by step also. Anyway the change at hand will cause file conflicts with
krb5-plugin-kdb-ldap sapstartsrv-resource-agents yast2-installation yast2-metapackage-handler
as they own /usr/bin resp /usr/sbin. So they have to be fixed first to not include those.
thanks for pointing out. I'll fix those. Now, can we move forward on this? :)
@a_jaeger, @dimstar, @kukuk, @lnussel, @oertel: review reminder