Bug#967857: debian-policy: [Files/Permissions and owners] files installed by package manager should not be writable
Guillem Jover <guillem@debian.org> writes:
> On Tue, 2020-08-04 at 13:56:45 -0700, Russ Allbery wrote:
>> I assume this is in support of systems, containers, or jails where UID
>> 0 may not have CAP_FOWNER?
> If that's the reason, it certainly was not clear from the original
> report. :)
It seems like the context in which this change would be meaningful.
That said, in the situations where I'm dropping capabilities, I would also
generally remount file systems like /usr read-only (systemd's
ProtectSystem, for example), so I'm having some trouble generating a
scenario in which the file permission changes matter. I think a concrete
use case would be useful for analysis.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: