On Tue, Apr 26, 2011 at 11:21:38AM -0000, Richard W.M. Jones wrote: > What is being protected by this mode change? This kernel is distributed > on hundreds of mirrors -- there is no secret in here.
The mode changes do not protect a system from any dedicated attacker (for the reason you state), but it does have real-world benefits against simplistic kernel exploitation (keeping kernel symbols away from non-root users). It is absolutely a trade-off. > When we install libguestfs, we need to boot using this kernel. What change > do I need to make to libguestfs so that when a sysadmin installs it, it will > change the permissions back to 0644 automatically? Shipping a pair of files in /etc/kernel/postinst.d/ and /etc/kernel/postrm.d/ to call dpkg-statoverride --add and --remove respectively is likely the cleanest approach to handling this. -- Kees Cook Ubuntu Security Team -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/759725 Title: The kernel is no longer readable by non-root users -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs