[systemd-devel] audit paranoia breaks tests
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Fri May 3 08:27:41 PDT 2013
On Fri, May 03, 2013 at 05:05:51PM +0200, Lennart Poettering wrote:
> On Fri, 03.05.13 14:00, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:
>
> > On 03/05/13 13:16, Lennart Poettering wrote:
> > > On Fri, 03.05.13 04:51, Zbigniew Jędrzejewski-Szmek (zbyszek at in.waw.pl) wrote:
> > >> Hm, one of our tests fails because /usr/lib/systemd/system/auditd.service
> > >> is -rw-r-----. That's crazy. Do we fight it, or work around it?
> > >
> > > I'd say fight it. After all this is just annoying and little else since
> > > the parsed information is publically accessible anyway on the bus.
https://bugzilla.redhat.com/show_bug.cgi?id=959483
> > See also Debian Policy, which basically says that files should be 0644
> > or 0755 unless there's a good reason, and points out another reason why
> > there's no point in making packaged non-configuration files unreadable:
> >
> > Setuid and setgid executables should be mode 4755 or 2755
> > respectively, and owned by the appropriate user or group. They
> > should not be made unreadable (modes like 4711 or 2711 or even
> > 4111); doing so achieves no extra security, because anyone can find
> > the binary in the freely available Debian package; it is merely
> > inconvenient. For the same reason you should not restrict read or
> > execute permissions on non-set-id executables.
> >
> >
> ><http://www.debian.org/doc/debian-policy/ch-files.html#s-permissions-owners>
>
> Now I wonder if we have any such rule for Fedora...
I couldn't find anything in the Packaging Guidelines. Could you add
such an explicit recommendation to http://fedoraproject.org/wiki/Packaging:Systemd?
Zbyszek
> > > I figure we should try to get the fedora packaging guidelines updated to
> > > say that root:root 664 is the right access mode
> >
> > Out of interest, why not 0644? Then members of group root (if there are
> > any) wouldn't be able to escalate to uid root by altering system
> > services.
>
> Yeah, sounds sensible to suggest 0644 instead.
>
> Lennart
More information about the systemd-devel
mailing list