Ansgar <ans...@debian.org> writes: > 10.9 Permissions and owners currently says
> | Files should be owned by root:root, and made writable only by the > | owner and universally readable (and executable, if appropriate), > | that is mode 644 or 755." > However most files shouldn't be modified as modifications will just be > lost (e.g. everything installed by the package manager that isn't > handled as a conffile). It also gives more permissions than the minimum > needed. > I think static files should not be writable instead, so every file under > /usr (and /bin, /sbin, /lib*; or everything dpkg installs that is not a > conffile) should have 444 (or 555). I assume this is in support of systems, containers, or jails where UID 0 may not have CAP_FOWNER? The basic argument makes sense to me, but this is the sort of change where we'll need to figure out a transition strategy coordinated across multiple packages, since this behavior is encoded in a lot of places. Maybe it would make sense for Guillem to weigh in first and indicate whether this would be a problem on the dpkg side and if he sees any concerns. Copying debian-dpkg@lists for that. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>