Re: permissions in general (WAS: Re: permissions in /sbin)
On 12/5/07, Mike Bird <email@example.com> wrote:
> > I guess it's more a historical reason that others can r+x most of the
> > system but I can see a lot of benefits in denying others by default
> > (of course there's a lot of work involved to migrate from the current
> > permission schema that's at least a serious drawback)
> There's very little value to blocking read or execute access to
> executables. A user could compile or download their own
> executable in their own home directory to do the same job.
So the user needs to get a precompiled gcc somewhere.
Then she would need to get all the header files necessary
Then she needs to get the source.
Then the quota is full... :)
> Instead we control what executables can do, e.g. by limiting
> which files can be read or written (by any/all executables).
are you talking about Role Based access or limiting access to the
directories where a user can write to?
Why I think it's good to remove others is somewhat the same reasen as
why in a firewall ruleset the policy should be drop.
You can easily forget to lock down something but if you forget to open
it up you can be sure that within an hour users will give you a call
(or mail if they can execute the program) and complain...