Isto foi alterado no Fedora por volta de 2009. Fonte: link
Agradecemos a @jordanm por apontar isso. Eu tentei copiar as cotações relevantes. Isenção de responsabilidade: tenho certeza de que essa renderização perdeu algo no processo.
The changes take away write permissions for root so that you also need DAC_OVERRIDE in order to write. We then dropped capabilities on things that needed to be root, but are network facing, or setuid.
Resposta crítica
Anyways, this was a well-intentioned idea, but in reality it won't work without significant further work because a process with uid 0 but not CAP_DAC_OVERRIDE is still perfectly capable of rewriting e.g. /usr/bin/bash which still has u+w, or /root/.bashrc for that matter. The answer to this sort of thing is SELinux. Any objections to a patch to revert back to mode 755 for directories?
Resposta do autor:
What problem does [your software] have? If its trying to write to system directories, it should have a problem.
Responder:
It's not a big deal, the code to effectively revert it rpm-ostree is small and shouldn't be hard to carry over time.
I just wanted to cross-link the bugs so that anyone else who hit this can see the change we did in rpm-ostree.
Third party interjection: It's about kludges that are needed in any tool of the class to cope with this.
https://github.com/projectatomic/rpm-ostree/pull/335
Link to the Fedora bug that introduced this, and also change things so it's also used for the "compose" case because:
- Again it doesn't add security
- Tools that operate on "compose" repos have to work around this when doing checkouts, see e.g. https://lists.freedesktop.org/archives/xdg-app/2016-June/000241.html