Monique Y. Herman wrote: > Is this really a bug, or just a bad/pointless idea? I mean, it asked me > if I should lock these tools down, and I said yes. I can always loosen > up permissions on a case by case basis.
Unless bastille closes down access to programs like perl, python, gcc,
the shell, and all file downloads, it is thoroughly useless to block
execution of any non suid/sgid binaries.
It is also a violation of debian policy, section 10.9:
Setuid and setgid executables should be mode 4755 or 2755
respectively, and owned by the appropriate user or group. They should
not be made unreadable (modes like 4711 or 2711 or even 4111); doing
so achieves no extra security, because anyone can find the binary in
the freely available Debian package; it is merely inconvenient. For
the same reason you should not restrict read or execute permissions on
non-set-id executables.
--
see shy jo
signature.asc
Description: Digital signature
