| |||||||||||||
Making distribution files readable only by root is pointlessMaking distribution files readable only by root is pointlessPosted Mar 27, 2013 17:28 UTC (Wed) by arjan (subscriber, #36785)In reply to: Making distribution files readable only by root is pointless by epa Parent article: KASLR: An Exercise in Cargo Cult Security (grsecurity blog)
well it kind of goes both ways.
Why WOULD they need to be readable? The paradigm of "least privilege" as a general guiding principle has been around for a long time.
I am not going to argue that there is a huge value in making these things non-root, but at the same time, you can't really argue the other way.
(Log in to post comments)
Making distribution files readable only by root is pointless Posted Mar 28, 2013 0:04 UTC (Thu) by nix (subscriber, #2304) [Link]
It's zero difference in effort. Effective exploit authors will either be writing attack tools, in which case they *have* to download various distros to customize their attacks for those distros -- they're not going to be looking at files on the target system at all except under automation -- or they'll be targetting it at a particular target, in which case the 'extra' effort spent to customize for the distro the target is used is required anyway, and is drowned in the effort spent on the rest of the targetted attack.
|
|||||||||||||