Re: [meta-hardening][PATCH] meta-hardening/binutils: harden installation permissions

Marta Rybczynska

(correcting the wrong list address)

On Fri, Aug 27, 2021 at 6:07 AM akuster808 <akuster808@...> wrote:

On 8/24/21 11:05 PM, Marta Rybczynska wrote:
> Compilers and related utils are better restricted on production platforms.
> Change permissions of all installed binutils tools to remove access from
> users outside of the root group.
> This also demonstrates how to restrict file permissions in a hardened
> distribution.

Have you looked into FILESYSTEM_PERMS_TABLES? An example of the format
can be found @ /meta/files/fs-perms.txt

For more info see

Maybe having something like fs-perms.txt in meta-hardening may achieve
the same?

It looks like a possibility, I will give it a try. I have a question about the future,
however. Currently meta-hardening is defining its own distribution. When hardening
will be in DISTRO_FEATURES (you were working on it some time ago,
it would be less obvious to use, wouldn't it?

A bonus question, do you still plan to make it in DISTRO_FEATURES?


Join { to automatically receive all group messages.