[systemd-devel] audit paranoia breaks tests
Lennart Poettering
lennart at poettering.net
Fri May 3 08:05:51 PDT 2013
On Fri, 03.05.13 14:00, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:
> On 03/05/13 13:16, Lennart Poettering wrote:
> > On Fri, 03.05.13 04:51, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> >> Hm, one of our tests fails because /usr/lib/systemd/system/auditd.service
> >> is -rw-r-----. That's crazy. Do we fight it, or work around it?
> >
> > I'd say fight it. After all this is just annoying and little else since
> > the parsed information is publically accessible anyway on the bus.
>
> See also Debian Policy, which basically says that files should be 0644
> or 0755 unless there's a good reason, and points out another reason why
> there's no point in making packaged non-configuration files unreadable:
>
> Setuid and setgid executables should be mode 4755 or 2755
> respectively, and owned by the appropriate user or group. They
> should not be made unreadable (modes like 4711 or 2711 or even
> 4111); doing so achieves no extra security, because anyone can find
> the binary in the freely available Debian package; it is merely
> inconvenient. For the same reason you should not restrict read or
> execute permissions on non-set-id executables.
>
>
><http://www.debian.org/doc/debian-policy/ch-files.html#s-permissions-owners>
Now I wonder if we have any such rule for Fedora...
> > I figure we should try to get the fedora packaging guidelines updated to
> > say that root:root 664 is the right access mode
>
> Out of interest, why not 0644? Then members of group root (if there are
> any) wouldn't be able to escalate to uid root by altering system
> services.
Yeah, sounds sensible to suggest 0644 instead.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list