search

yo8192 / fcron

fcron is an advanced cron for Linux/Unix systems
http://fcron.free.fr
GNU General Public License v2.0
135 stars 12 forks source link

why are binaries are installed without read permission? #2

Closed eli-schwartz closed 4 years ago

eli-schwartz commented 4 years ago 
$ ls -l $DESTDIR/usr/bin
---x--x--- 1 eschwartz users 109544 Jan 11  2019 fcron*
---x--x--x 1 eschwartz users  43816 Jan 11  2019 fcrondyn*
---x--x--- 1 eschwartz users  34728 Jan 11  2019 fcronsighup*
---x--x--x 1 eschwartz users  80080 Jan 11  2019 fcrontab*

What's the point of this? There are no security secrets here, the software is open source and anyone can compile their own copy trivially. There is some rationale to avoid giving everyone execute permissions, but what on earth is wrong with read permissions? Especially, why is even the owner of the binaries prevented from reading the files without first running chmod?

This causes annoying error messages when trying to heuristically parse the binaries e.g. with readelf -d to see what shared libraries it depends on. It also prevents post-processing tools during distro packaging, from running commands such as strip (in combination with make install STRIP=/bin/true to avoid using the wrong strip commands) in order to store detached debugging symbols in /usr/lib/debug

...

Program files should be readable by any user unless they contain e.g. cryptographic secret key material, and they should be writable by the user.

yo8192 commented 4 years ago

It was based on least privilege principle, assuming no one needs to read these binaries. But you are right that there is no secret in there, and you mentioned valid reasons why read perms can be needed, so I think it would be fine to give read perms. Would you be happy proposing a PR?

eli-schwartz commented 4 years ago

Done.

I've heard arguments that when building the binary yourself, rather than downloading a byte-identical binary from a linux distribution repository, there is some security benefits from attackers not knowing the internal structure of the binary. But at least the owner should have rw permission. I'm not sure whether or how to extend that; which concern weighs heavier? can it be detected by the presence of non-null DESTDIR? etc. So for now, I have only implemented this w.r.t. the file's owner as I cannot think how this can backfire.