The recent announcement of systemd 261 includes:
A new tmpfiles.d/root.conf for ensuring that root directory permissions get set to 0555.
This has sparked some discussion online as to why 555 (r-xr-xr-x) is being used and not the historical 755 (rwxr-xr-x)? Is this something that is in place on Fedora installations currently (sorry I can’t check, my Fedora machine is out of action ATM) and if so what is the reason for preferring 555?
The main contention with 555 is that it is pointless due to root user being subject to the CAP_DAC_OVERRIDE which bypasses read, write and execute permission checks.
I messaged Lennart Poettering about this but didn’t receive a reply.