It's already the case that a file owned by user A cannot have its
rights changed by user B. Also, if the write permission is not set,
you can't modify the file. That's the basic unix security model. Of
course, if you're root all best are off, root is god. For those who
con't like that, there are things like capabilities and MAC. But they
are _really_ hard to setup correctly.
What they are talking about is to have the x bit cancel the w bit,
i.e. make the rwx files unwritable. Fixing the symptoms, you know...
> My policy is to give necessary permissions & no more.
This is not a bad policy. Removing read permissions can make fixing
problems a pain, though (what, no gdb/strace of system executables?).
> I would set the
> aforementioned permissions on the main system binaries which would allow
> other users to get on with what they need to do without being able to
> affect the workspaces of other users, only their own.
Well, the main system binaries are already that way (r-xr-xr-x or
rwxr-xr-x, which when root-owned are equivalent). I don't see your
point.
OG.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/