Message ID | 20110114202457.GL4979@outflux.net |
---|---|
State | Accepted |
Delegated to: | Tim Gardner |
Headers | show |
On 01/14/2011 02:24 PM, Kees Cook wrote: > To complement the 0400 /proc/kallsyms patch, this makes the installed > System.map file mode 0600 so that security vulnerability exploitation > isn't as trivial. This, like kallsyms, does not stop a serious attacker, > since they can always just fetch the package and read the file. > > I'm not aware of any non-root consumer of this file, so there should be > no impact. FWIW, my system boots fine with this change. > > Signed-off-by: Kees Cook<kees.cook@canonical.com> > --- > debian/rules.d/2-binary-arch.mk | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > index 5627af5..c289d11 100644 > --- a/debian/rules.d/2-binary-arch.mk > +++ b/debian/rules.d/2-binary-arch.mk > @@ -67,7 +67,7 @@ endif > $(pkgdir)/boot/config-$(abi_release)-$* > install -m644 $(abidir)/$* \ > $(pkgdir)/boot/abi-$(abi_release)-$* > - install -m644 $(builddir)/build-$*/System.map \ > + install -m600 $(builddir)/build-$*/System.map \ > $(pkgdir)/boot/System.map-$(abi_release)-$* > ifeq ($(no_dumpfile),) > makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \ applied
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index 5627af5..c289d11 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -67,7 +67,7 @@ endif $(pkgdir)/boot/config-$(abi_release)-$* install -m644 $(abidir)/$* \ $(pkgdir)/boot/abi-$(abi_release)-$* - install -m644 $(builddir)/build-$*/System.map \ + install -m600 $(builddir)/build-$*/System.map \ $(pkgdir)/boot/System.map-$(abi_release)-$* ifeq ($(no_dumpfile),) makedumpfile -g $(pkgdir)/boot/vmcoreinfo-$(abi_release)-$* \
To complement the 0400 /proc/kallsyms patch, this makes the installed System.map file mode 0600 so that security vulnerability exploitation isn't as trivial. This, like kallsyms, does not stop a serious attacker, since they can always just fetch the package and read the file. I'm not aware of any non-root consumer of this file, so there should be no impact. FWIW, my system boots fine with this change. Signed-off-by: Kees Cook <kees.cook@canonical.com> --- debian/rules.d/2-binary-arch.mk | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)