PolicyKit releases and !AWOL

Doug Klima cardoe at gentoo.org
Mon Dec 17 06:45:42 PST 2007 

Michael Biebl wrote:
> 2007/12/17, David Zeuthen <david at fubar.dk>:
>   
>> On Mon, 2007-12-17 at 03:02 +0100, Michael Biebl wrote:
>>     
>>> Well, making it 4754, means everyone can read the binary.
>>> If you make it 4750, the user can download the deb/rpm and extract the
>>> binary from there to read it. So you don't gain any additional
>>> security by making it non-readable
>>>       
>> No, but it makes it a lot harder; if you can read the file you can run
>> strings(1) and ldd(1) on it; that alone is a lot of useful information.
>>     
>
> You can do that just as well with the binary that you extracted from
> the deb/rpm.
> So this point is not valid.
>
>   
>> Sure, it doesn't add security but the program should be secure in the
>> first place (and I believe it is) otherwise it's a stop-ship bug.
>>     
>
> I'm not sure what this has to do with the file permissions.
>
>   
>> It's not about "adding security" - the name of the game is about
>> limiting what damage can be done in the event there's a flaw in the
>> program. And making the file non-readable for world helps slow down the
>> would-be attacker (who is typically a 13-year old script kiddie with too
>> much time on his hands).
>>     
>
> I don't understand what you are trying to say with that. How can a
> flaw in the program be exploited (more easily) if it's world readable?
> Can you give me a real world scenario here? What you say is to vague.
>
>   
>> Also, what you are suggesting, making the file world readable, violates
>> the principle of least privilege: the user simply has no business
>> messing with that file; it's just an internal implementation detail of
>> higher level software (in this case libpolkit-grant.so).
>>     
>
> Actually its the other way around.
> Think of backup programs, which now have to run as root to be able to
> successfully create a backup, or intrusion detection systems, which
> check the file checksums, which can't be run unpriviledged.
> I hope I could give you some use cases, why it makes sense to make the
> files world readable.
>
> Cheers,
> Michael
>
>   
I completely agree here.

If the only reason is security through obscurity doesn't work then that
would be enough for me. Especially in this case since the packages are
easy for an attacker to download and figure out themselves.

More information about the hal mailing list