-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the system.map file permission only readable by root #329
Change the system.map file permission only readable by root #329
Conversation
|
/easycla |
8f9285f
to
6f91b49
Compare
Looks like this was opened against an older version of the master branch, can you merge/rebase against the latest changes? |
Never mind, I see you updated it now |
@saiarcot895, why did you merge a “security patch“, that does not contain any information at all about the motivation? Why are Debian’s defaults bad? @saiarcot895, please revert, and @xumia, please resubmit with proper description. |
@paulmenzel there are some details in sonic-net/sonic-buildimage#15893. The short version of it is that as per OpenSCAP, the System.map file must be readable only by root. This is despite the fact that Debian already ships a fake System.map file (since there's almost never a need to use the actual contents of the file at runtime). The options to meet OpenSCAP's requirements are either to make it readable only by root, or to remove it (both of which can be done either at package installation time or during the package build time). Since it would be better to have it be consistently done at package build time (so that manual changes to files from packages are not needed), I recommended having the change be done in this repo via a patch instead. To be clear, it's not that Debian's defaults are bad/insecure; it's just that some security projects/audits have different requirements that need to be met. |
@xumia This patch actually needs to go into the |
@saiarcot895 , thanks, I have sent another PR to fix it, #331 |
…onic-net#329)" This reverts commit fa40db7.
Change the system.map file permission only readable by root