Accepting request 18547 from Base:System
Copy from Base:System/permissions based on submit request 18547 from user lnussel OBS-URL: OBS-URL:
This commit is contained in:
@ -1,86 +0,0 @@
#! /bin/bash
# This module checks and sets file permissions
# Copyright (C) 1996-2007 SUSE Linux Products GmbH, Nuernberg, Germany.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# Author: Burchard Steinbild, 1996-97
# Bernhard Kaindl <>, 1999
# Rüdiger Oertel <>, 2000-01
# Ludwig Nussel <> 2007
. /lib/YaST/SuSEconfig.functions || exit 1
for i in /etc/sysconfig/security /etc/sysconfig/suseconfig ; do
. $i || exit 1
if test -n "$ENABLE_SUSECONFIG" -a "$ENABLE_SUSECONFIG" = "no" ; then
echo "SuSEconfig is disabled in /etc/sysconfig/suseconfig"
exit 0
set) mode="-set" ;;
warn) ;;
no|"") exit 0 ;;
*) echo "invalid value '$CHECK_PERMISSIONS' for \$CHECK_PERMISSIONS" >&2 ;;
# collect files that contain permission specifications
# 1. central fixed permissions file
# 2. central easy, secure paranoid as those are defined by SUSE
for level in $PERMISSION_SECURITY; do
case "$level" in
if [ -e /etc/permissions.$level ]; then
files="$files /etc/permissions.$level"
# 3. package specific permissions
pkgfiles=(`for i in ${pkgfiles[@]}; do echo $i; done | /usr/bin/sort -u`)
for file in ${pkgfiles[@]}; do
[ -e $file ] && files="$files $file"
for level in $PERMISSION_SECURITY; do
[ -e $file.$level ] && files="$files $file.$level"
# 4. central permissions files with user defined level incl 'local'
for level in $PERMISSION_SECURITY; do
case "$level" in
easy|secure|paranoid) continue ;;
if [ -e /etc/permissions.$level ]; then
files="$files /etc/permissions.$level"
/usr/bin/chkstat $mode $files
@ -1,198 +0,0 @@
#!/usr/bin/perl -w
# perform some consistency checks on permission files
use Getopt::Long;
use strict;
use Data::Dumper;
use File::Basename;
my @deflevels = ('easy', 'secure', 'paranoid');
my @defpermfiles = ('permissions', 'permissions.easy', '', 'permissions.paranoid');
# filename
# - level (DEFAULT, easy, secure, paranoid)
# - owner
# - mode
my %perms;
my($nodups, $checkmissing, $defonly, $showsuid, $showsgid, $showww, $showgw,
$show, @levels, $showsame, $dump, @permfiles, $help, $checkdirs);
GetOptions (
"nodups" => \$nodups,
"missing" => \$checkmissing,
"defonly" => \$defonly,
"show" => \$show,
"suid" => \$showsuid,
"sgid" => \$showsgid,
"ww" => \$showww,
"gw" => \$showgw,
"same" => \$showsame,
"level=s" => \@levels,
"dump" => \$dump,
"checkdirs=s" => \$checkdirs,
"help" => \$help,
print <<EOF;
perform some consistency checks on permission files
--nodups skip check for duplicate entries
--same check for identical entries in all files
--missing check whether entries are in all three files (default)
--defonly run actions only on default file
--show show entries
--suid only suid files
--sgid only sgid files
--ww only world writeable files
--gw only group writeable files
--dump dump files as perl hash
--level restrict checks to this coma separated list of levels
--checkdirs DIR check for group writeable directories below DIR
exit 0;
@levels = @deflevels unless $#levels != -1;
@levels = split(/,/,join(',',@levels));
if($#ARGV != -1)
while (my $permfile = shift @ARGV)
push @permfiles, $permfile;
@permfiles = @defpermfiles;
for my $permfile (@permfiles)
my $level = 'DEFAULT';
$level =$1 if(basename($permfile) =~ /.*\.(.*)/);
open(FH, '<', $permfile) or next;
next if(/^$/);
my ($file, $owner, $mode) = split(/\s+/);
if(!$nodups && exists($perms{$file}{$level}))
print STDERR "$permfile:$. File listed twice: $file already in $level\n";
$perms{$file}{$level}{'owner'} = $owner;
$perms{$file}{$level}{'mode'} = $mode;
if(! -e $checkdirs.$file)
#print STDERR "$permfile:$.: can't check $file\n";
elsif(-d $checkdirs.$file && oct($mode)&020 && !(oct($mode)&01000))
print STDERR "$permfile:$.: $file group writeable but not sticky\n"
my ($file, $owner, $mode, $level);
format FORMATTED =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<< @>>>> (@*)
$file, $owner, $mode, $level
$checkmissing = 1 unless ($show || $showsuid || $showsgid || $showww || $showgw || $dump || $showsame);
foreach $file (sort keys %perms)
next if($defonly && !exists($perms{$file}{'DEFAULT'}));
my @l = ('DEFAULT');
push @l, @levels unless $defonly;
my ($om, $modechanged, $numseen);
$numseen = 0;
for $level (@l)
next unless exists $perms{$file}{$level};
$mode = $perms{$file}{$level}{'mode'};
$om = oct($mode) unless $om;
$modechanged = 1 if($om != oct($mode));
$owner = $perms{$file}{$level}{'owner'};
next if(
($showsuid && !(oct($mode) & 04000)) ||
($showsgid && !(oct($mode) & 02000)) ||
($showww && !(oct($mode) & 0002)) ||
($showgw && !(oct($mode) & 0020))
write FORMATTED if ($show);
if($numseen > 3)
print STDERR "Suspicious: $file in >3 levels\n";
if($showsame && $numseen > 1 && !$modechanged)
print STDERR "Useless: $file\n";
my $msg = '';
for $level (@levels)
$msg .= " not in $level\n";
if(length $msg)
print STDERR "$file:\n$msg\n";
print Dumper(\%perms) if($dump);
# vim: sw=4
@ -1,78 +0,0 @@
.\" SUSE man page for chkstat
.\" Author: Ruediger Oertel
.TH CHKSTAT 8 "2008-04-17" "SUSE Linux" "Tool to check and set file permissions"
.UC 8
chkstat \- Tool to check and set file permissions
.B chkstat
.RB \|[\| \-\-set|\-set ]
.RB \|[\| \-\-noheader ]
.RB \|[\|\|[\| \-\-examine\ file\ ] ... ]
.RB \|[\|\|[\| \-\-files\ filelist\ ] ... ]
.RB \|[\|\|[\| \-\-root\ directory\ ] ... ]
.B permission-file ...
The program
.I /usr/bin/chkstat
is a tool to check and set file permissions.
Multiple permissions files can be given on the commandline.
If the permission files contain multiple entries for a single
file, the last entry found will be used.
.SS General Options
.IR \-\-set ,\ \-set
This option enables setting the file permissions,
the default is to check and warn only.
.IR \-\-noheader
Omit printing the output header lines.
.IR \-\-examine\ file
Check permissions for this file and not all files listed in the permissions files.
.IR \-\-files\ filelist
Check permissions for the files listed in
.IR filelist
and not for all files listed in the permissions files.
.IR \-\-root\ directory
Prefix the files given in the permissions files by this directory.
The command
.B chkstat -set /etc/permissions
will parse the file /etc/permissions and set the access mode and the
user- and group memberships each file listed. The format
for the input file is
and wildcards are not supported for the filepath. Lines starting
with '#' and empty lines are treated as comments.
1996-2003 SuSE Linux AG, Nuernberg, Germany.
2008 SUSE LINUX Products GmbH
Reinhold Sojer, Ruediger Oertel, Michael Schroeder
Useful changes and additions by Tobias Burnus
@ -1,591 +0,0 @@
/* Copyright (c) 2004 SuSE Linux AG
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING); if not, write to the
* Free Software Foundation, Inc.,
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
#include <stdio.h>
#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define __USE_GNU
#include <fcntl.h>
struct perm {
struct perm *next;
char *file;
char *owner;
char *group;
mode_t mode;
struct perm *permlist;
char **checklist;
int nchecklist;
uid_t euid;
char *root;
int rootl;
add_permlist(char *file, char *owner, char *group, mode_t mode)
struct perm *ec, **epp;
owner = strdup(owner);
group = strdup(group);
if (rootl)
char *nfile;
nfile = malloc(strlen(file) + rootl + (*file != '/' ? 2 : 1));
if (nfile)
strcpy(nfile, root);
if (*file != '/')
strcat(nfile, "/");
strcat(nfile, file);
file = nfile;
file = strdup(file);
if (!owner || !group || !file)
perror("permlist entry alloc");
for (epp = &permlist; (ec = *epp) != 0; )
if (!strcmp(ec->file, file))
*epp = ec->next;
epp = &ec->next;
ec = malloc(sizeof(struct perm));
if (ec == 0)
perror("permlist entry alloc");
ec->file = file;
ec->owner = owner;
ec->group = group;
ec->mode = mode;
ec->next = 0;
*epp = ec;
in_checklist(char *e)
int i;
for (i = 0; i < nchecklist; i++)
if (!strcmp(e, checklist[i]))
return 1;
return 0;
add_checklist(char *e)
if (in_checklist(e))
e = strdup(e);
if (e == 0)
perror("checklist entry alloc");
if ((nchecklist & 63) == 0)
if (checklist == 0)
checklist = malloc(sizeof(char *) * (nchecklist + 64));
checklist = realloc(checklist, sizeof(char *) * (nchecklist + 64));
if (checklist == 0)
perror("checklist alloc");
checklist[nchecklist++] = e;
readline(FILE *fp, char *buf, int len)
int l;
if (!fgets(buf, len, fp))
return 0;
l = strlen(buf);
if (l && buf[l - 1] == '\n')
buf[l] = 0;
if (l + 1 < len)
return 1;
fprintf(stderr, "warning: buffer overrun in line starting with '%s'\n", buf);
while ((l = getc(fp)) != EOF && l != '\n')
buf[0] = 0;
return 1;
usage(int x)
fprintf(stderr, "Usage: chkstat [--set] [--noheader] [[--examine file] ...] [ [--files filelist] ...] permission-file ...\n");
safepath(char *path, uid_t uid, gid_t gid)
struct stat stb;
char pathbuf[1024];
char linkbuf[1024];
char *p, *p2;
int l, l2, lcnt;
lcnt = 0;
l2 = strlen(path);
if (l2 >= sizeof(pathbuf))
return 0;
strcpy(pathbuf, path);
if (pathbuf[0] != '/')
return 0;
p = pathbuf + rootl;
for (;;)
p = strchr(p, '/');
if (!p)
return 1;
*p = 0;
if (lstat(*pathbuf ? pathbuf : "/", &stb))
return 0;
if (S_ISLNK(stb.st_mode))
if (++lcnt >= 256)
return 0;
l = readlink(pathbuf, linkbuf, sizeof(linkbuf));
if (l <= 0 || l >= sizeof(linkbuf))
return 0;
while(l && linkbuf[l - 1] == '/')
if (l + 1 >= sizeof(linkbuf))
return 0;
linkbuf[l++] = '/';
linkbuf[l] = 0;
*p++ = '/';
if (linkbuf[0] == '/')
if (rootl)
p[-1] = 0;
fprintf(stderr, "can't handle symlink %s at the moment\n", pathbuf);
return 0;
l2 -= (p - pathbuf);
memmove(pathbuf + rootl, p, l2 + 1);
l2 += rootl;
p = pathbuf + rootl;
if (p - 1 == pathbuf)
return 0; /* huh, "/" is a symlink */
for (p2 = p - 2; p2 >= pathbuf; p2--)
if (*p2 == '/')
if (p2 < pathbuf + rootl) /* cannot happen */
return 0;
p2++; /* am now after '/' */
memmove(p2, p, pathbuf + l2 - p + 1);
l2 -= (p - p2);
p = p2;
if (l + l2 >= sizeof(pathbuf))
return 0;
memmove(p + l, p, pathbuf + l2 - p + 1);
memmove(p, linkbuf, l);
l2 += l;
if (pathbuf[0] != '/') /* cannot happen */
return 0;
if (p == pathbuf)
if (!S_ISDIR(stb.st_mode))
return 0;
/* write is always forbidden for other */
if ((stb.st_mode & 02) != 0)
return 0;
/* owner must be ok as she may change the mode */
/* for euid != 0 it is also ok if the owner is euid */
if (stb.st_uid && stb.st_uid != uid && stb.st_uid != euid)
return 0;
/* group gid may do fancy things */
/* for euid != 0 we don't check this */
if ((stb.st_mode & 020) != 0 && !euid)
if (!gid || stb.st_gid != gid)
return 0;
*p++ = '/';
main(int argc, char **argv)
char *opt, *p;
int set = 0;
int told = 0;
int use_checklist = 0;
FILE *fp;
char line[512];
char *part[4];
int i, pcnt, lcnt;
int inpart;
mode_t mode;
struct perm *e;
struct stat stb, stb2;
struct passwd *pwd = 0;
struct group *grp = 0;
uid_t uid;
gid_t gid;
int fd, r;
int errors = 0;
while (argc > 1)
opt = argv[1];
if (!strcmp(opt, "--"))
if (*opt == '-' && opt[1] == '-')
if (!strcmp(opt, "-s") || !strcmp(opt, "-set"))
set = 1;
if (!strcmp(opt, "-n") || !strcmp(opt, "-noheader"))
told = 1;
if (!strcmp(opt, "-e") || !strcmp(opt, "-examine"))
if (argc == 1)
fprintf(stderr, "examine: argument required\n");
use_checklist = 1;
if (!strcmp(opt, "-f") || !strcmp(opt, "-files"))
if (argc == 1)
fprintf(stderr, "files: argument required\n");
if ((fp = fopen(argv[1], "r")) == 0)
fprintf(stderr, "files: %s: %s\n", argv[1], strerror(errno));
while (readline(fp, line, sizeof(line)))
if (!*line)
use_checklist = 1;
if (!strcmp(opt, "-r") || !strcmp(opt, "-root"))
if (argc == 1)
fprintf(stderr, "root: argument required\n");
root = argv[1];
rootl = strlen(root);
if (*root != '/')
fprintf(stderr, "root: must begin with '/'\n");
if (*opt == '-')
usage(!strcmp(opt, "-h") || !strcmp(opt, "-help") ? 0 : 1);
if (argc <= 1)
for (i = 1; i < argc; i++)
if ((fp = fopen(argv[i], "r")) == 0)
lcnt = 0;
while (readline(fp, line, sizeof(line)))
if (*line == 0 || *line == '#' || *line == '$')
inpart = 0;
pcnt = 0;
for (p = line; *p; p++)
if (*p == ' ' || *p == '\t')
*p = 0;
if (inpart)
inpart = 0;
if (!inpart)
inpart = 1;
if (pcnt == 3)
part[pcnt] = p;
if (inpart)
if (pcnt != 3)
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
part[3] = part[2];
part[2] = strchr(part[1], ':');
if (!part[2])
part[2] = strchr(part[1], '.');
if (!part[2])
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
*part[2]++ = 0;
mode = strtoul(part[3], part + 3, 8);
if (mode > 07777 || part[3][0])
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
add_permlist(part[0], part[1], part[2], mode);
euid = geteuid();
for (e = permlist; e; e = e->next)
if (use_checklist && !in_checklist(e->file))
if (lstat(e->file, &stb))
if (S_ISLNK(stb.st_mode))
if ((!pwd || strcmp(pwd->pw_name, e->owner)) && (pwd = getpwnam(e->owner)) == 0)
fprintf(stderr, "%s: unknown user %s\n", e->file, e->owner);
if ((!grp || strcmp(grp->gr_name, e->group)) && (grp = getgrnam(e->group)) == 0)
fprintf(stderr, "%s: unknown group %s\n", e->file, e->group);
uid = pwd->pw_uid;
gid = grp->gr_gid;
if ((stb.st_mode & 07777) == e->mode && stb.st_uid == uid && stb.st_gid == gid)
if (!told)
told = 1;
printf("Checking permissions and ownerships - using the permissions files\n");
for (i = 1; i < argc; i++)
printf("\t%s\n", argv[i]);
if (!set)
printf("%s should be %s:%s %04o.", e->file, e->owner, e->group, e->mode);
printf("setting %s to %s:%s %04o.", e->file, e->owner, e->group, e->mode);
printf(" (wrong");
if (stb.st_uid != uid || stb.st_gid != gid)
pwd = getpwuid(stb.st_uid);
grp = getgrgid(stb.st_gid);
if (pwd)
printf(" owner/group %s", pwd->pw_name);
printf(" owner/group %d", stb.st_uid);
if (grp)
printf(":%s", grp->gr_name);
printf(":%d", stb.st_gid);
pwd = 0;
grp = 0;
if ((stb.st_mode & 07777) != e->mode)
printf(" permissions %04o", (int)(stb.st_mode & 07777));
if (!set)
fd = -1;
if (S_ISDIR(stb.st_mode))
if (fd == -1)
else if (S_ISREG(stb.st_mode))
fd = open(e->file, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
if (fd == -1)
if (fstat(fd, &stb2))
if (stb.st_mode != stb2.st_mode || stb.st_nlink != stb2.st_nlink || stb.st_dev != stb2.st_dev || stb.st_ino != stb2.st_ino)
fprintf(stderr, "%s: too fluctuating\n", e->file);
if (stb.st_nlink > 1 && !safepath(e->file, 0, 0))
fprintf(stderr, "%s: on an insecure path\n", e->file);
else if (e->mode & 06000)
/* extra checks for s-bits */
if (!safepath(e->file, (e->mode & 02000) == 0 ? uid : 0, (e->mode & 04000) == 0 ? gid : 0))
fprintf(stderr, "%s: will not give away s-bits on an insecure path\n", e->file);
else if (strncmp(e->file, "/dev/", 4) != 0)
fprintf(stderr, "%s: don't know what to do with that type of file\n", e->file);
if (euid == 0 && (stb.st_uid != uid || stb.st_gid != gid))
if (fd >= 0)
r = fchown(fd, uid, gid);
r = chown(e->file, uid, gid);
if (r)
fprintf(stderr, "%s: chown: %s\n", e->file, strerror(errno));
if (fd >= 0)
r = fstat(fd, &stb);
r = lstat(e->file, &stb);
if (r)
fprintf(stderr, "%s: too fluctuating\n", e->file);
if ((stb.st_mode & 07777) != e->mode)
if (fd >= 0)
r = fchmod(fd, e->mode);
r = chmod(e->file, e->mode);
if (r)
fprintf(stderr, "%s: chmod: %s\n", e->file, strerror(errno));
if (fd >= 0)
if (errors)
fprintf(stderr, "ERROR: not all operations were successful.\n");
@ -1 +0,0 @@
get_date_version_string `find_newest_file *.*`
@ -1,199 +0,0 @@
# /etc/permissions
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
# Author: Roman Drahtmueller <>, 2001
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions (This file)
# /etc/permissions.easy
# /etc/
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
# Format:
# <file> <owner>:<group> <permission>
# How it works:
# Change the entries as you like, then call
# 'chkstat -set /etc/permissions' or /etc/permissions.{easy,secure,paranoid}
# respectively, or call 'SuSEconfig' as yast do after they think
# that files have been modified in the system.
# SuSEconfig will use the files /etc/permissions and the ones ending
# in what the variable PERMISSION_SECURITY from
# /etc/sysconfig/security contains. By default, these are the files
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
# for local changes by the admin. In addition, the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).
# SuSEconfig's usage of the chkstat program can be turned off completely
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
# /etc/permissions is kept to the bare minimum. File modes that differ
# from the settings in this file should be considered broken.
# Please see the headers of the files
# /etc/permissions.easy
# /etc/
# /etc/permissions.paranoid
# as well as
# /etc/permissions.local
# for more information about their particular meaning and their setup.
# root directories:
/ root:root 755
/root/ root:root 700
/tmp/ root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev/ root:root 755
/bin/ root:root 755
/sbin/ root:root 755
/lib/ root:root 755
/etc/ root:root 755
/home/ root:root 755
/boot/ root:root 755
/opt/ root:root 755
/usr/ root:root 755
# /var:
/var/tmp/ root:root 1777
/var/tmp/vi.recover/ root:root 1777
/var/log/ root:root 755
/var/spool/ root:root 755
/var/spool/mqueue/ root:root 700
/var/spool/news/ news:news 775
/var/spool/uucp/ uucp:uucp 755
/var/spool/voice/ root:root 755
/var/spool/mail/ root:root 1777
/var/adm/ root:root 755
/var/adm/backup/ root:root 700
/var/cache/ root:root 755
/var/cache/fonts/ root:root 1777
/var/cache/man/ man:root 755
/var/yp/ root:root 755
/var/run/nscd/socket root:root 666
/var/run/sudo/ root:root 700
# log files that do not grow remarkably
/var/log/faillog root:root 600
# This file is not writeable by gid tty so that the information
# therein can be trusted.
/var/log/lastlog root:tty 644
# some device files
/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640
# /etc
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 640
/etc/init.d/ root:root 755
/etc/HOSTNAME root:root 644
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ root:root 644
/etc/ root:root 644
/etc/opiekeys root:root 600
/etc/ppp/ root:dialout 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600
# sysconfig files:
/etc/sysconfig/network/providers/ root:root 700
# utempter
/usr/sbin/utempter root:tty 2755
# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ root:root 644
/etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640
# legacy
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl root:root 755
# cdrecord does not need to be setuid root as it uses resmgr for
# accessing the devices. Access to that one can be configured in
# /etc/resmgr.conf
/usr/bin/cdrecord root:root 755
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755
# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd root:lp 0755
# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755
# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750
# udev static devices (#438039)
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666
# directory for system crash dumps (#438041)
/var/crash/ root:root 1777
# named chroot (#438045)
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666
Normal file
Normal file
@ -0,0 +1,3 @@
oid sha256:93f8bb126cf82a643030902d002344e9bfc3a5dea03b909ae1192aae7ac1fa21
size 17497
@ -1,3 +1,20 @@
Mon Aug 24 09:53:25 UTC 2009 -
- remove permissions handling for traceroute6 and cdrecord which are
symlinks nowadays
Thu Aug 20 08:30:02 UTC 2009 -
- fix weird sendfax permissions (bnc#525954)
Wed Aug 19 11:17:53 UTC 2009 -
- permissions now maintained at gitorious so use tarball instead of
individual files
Wed Aug 12 09:57:12 CEST 2009 -
@ -1,417 +0,0 @@
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
# Author: Roman Drahtmueller <>, 2001
# See /etc/permissions for general hints on how to use this file.
# /etc/permissions.easy is set up for the use in a standalone and single-user
# installation to make things "work" out-of-the box.
# Some of the settings might be considered somewhat lax from the security
# standpoint. These aspects are handled differently in the
# file.
# Directories
# lock file for emacs
/var/lib/xemacs/lock/ root:root 1777
# for screen's session sockets:
/var/run/uscreens/ root:root 1777
# /etc
/etc/crontab root:root 644
/etc/exports root:root 644
/etc/fstab root:root 644
# we don't package it
/etc/ftpaccess root:root 644
/etc/ftpusers root:root 644
/etc/inetd.conf root:root 644
/etc/inittab root:root 644
/etc/mtab root:root 644
/etc/rmtab root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 644
# suid system programs that need the suid bit to work:
/bin/su root:root 4755
/usr/bin/at root:trusted 4755
/usr/bin/crontab root:trusted 4755
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 4755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 4755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 4755
/usr/bin/opiesu root:root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 4750
/usr/bin/ncpumount root:trusted 4750
# #331020
/sbin/mount.nfs root:root 4755
# mount/umount have had their problems already:
/bin/mount root:root 4755
/bin/umount root:root 4755
/bin/eject root:audio 4755
# #133657
/usr/bin/fusermount root:trusted 4755
# #66203
/usr/lib/majordomo/wrapper root:daemon 4755
# glibc backwards compatibility
/usr/lib/pt_chown root:root 4755
/usr/lib64/pt_chown root:root 4755
# needs setuid root when using shadow via NIS:
# #216816
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755
# qpopper
/usr/sbin/popauth pop:trusted 4755
# from the squid package
/usr/sbin/pam_auth root:shadow 4755
# still to be converted to utempter
/usr/lib/vte/gnome-pty-helper root:tty 2755
# mixed section:
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 1777
/usr/src/packages/BUILD/ root:root 1777
/usr/src/packages/RPMS/ root:root 1777
/usr/src/packages/RPMS/alpha/ root:root 1777
/usr/src/packages/RPMS/alphaev56/ root:root 1777
/usr/src/packages/RPMS/alphaev67/ root:root 1777
/usr/src/packages/RPMS/alphaev6/ root:root 1777
/usr/src/packages/RPMS/arm4l/ root:root 1777
/usr/src/packages/RPMS/athlon/ root:root 1777
/usr/src/packages/RPMS/i386/ root:root 1777
/usr/src/packages/RPMS/i486/ root:root 1777
/usr/src/packages/RPMS/i586/ root:root 1777
/usr/src/packages/RPMS/i686/ root:root 1777
/usr/src/packages/RPMS/ia64/ root:root 1777
/usr/src/packages/RPMS/mips/ root:root 1777
/usr/src/packages/RPMS/ppc/ root:root 1777
/usr/src/packages/RPMS/ppc64/ root:root 1777
/usr/src/packages/RPMS/powerpc/ root:root 1777
/usr/src/packages/RPMS/powerpc64/ root:root 1777
/usr/src/packages/RPMS/s390/ root:root 1777
/usr/src/packages/RPMS/s390x/ root:root 1777
/usr/src/packages/RPMS/sparc/ root:root 1777
/usr/src/packages/RPMS/sparcv9/ root:root 1777
/usr/src/packages/RPMS/sparc64/ root:root 1777
/usr/src/packages/RPMS/x86_64/ root:root 1777
/usr/src/packages/RPMS/armv4l/ root:root 1777
/usr/src/packages/RPMS/hppa/ root:root 1777
/usr/src/packages/RPMS/hppa2.0/ root:root 1777
/usr/src/packages/RPMS/noarch/ root:root 1777
/usr/src/packages/SPECS/ root:root 1777
/usr/src/packages/SRPMS/ root:root 1777
# video
/usr/bin/v4l-conf root:video 4755
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 4755
# scotty:
# #66211
/usr/bin/ntping root:trusted 4750
# screen savers:
/usr/bin/vlock root:shadow 2755
/usr/bin/Xorg root:root 4711
# turn off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 2755
/usr/bin/write root:tty 2755
# thttpd:
/usr/bin/makeweb root:www 2755
# yaps, pager software, accesses /dev/ttyS?
/usr/bin/yaps root:uucp 2755
# ncpfs tool
/usr/bin/nwsfind root:trusted 4750
/usr/bin/ncplogin root:trusted 4750
/usr/bin/ncpmap root:trusted 4750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 4755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4755
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 4755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:root 4755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
# control-center2 (#104993)
/usr/sbin/change-passwd root:root 4755
# cups (#66305,#406058)
/usr/bin/lppasswd lp:lp 2755
# smb printing with kerberos authentication (#177114)
/usr/bin/get_printing_ticket root:lp 4750
# networking (need root for the privileged socket)
/bin/ping root:root 4755
/bin/ping6 root:root 4755
/usr/sbin/traceroute6 root:root 4755
# mtr is linked against ncurses. For dialout only.
/usr/sbin/mtr root:dialout 4750
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 2555
# exim
/usr/sbin/exim root:root 4755
# dialup networking programs
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 4755
# linux text console utilities
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 4755
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 6755
# kde
# (all of them are disabled in except for
# the helper programs)
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 4755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 2755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 4755
# used to distract the oom killer
# #203535
/opt/kde3/bin/start_kdeinit root:root 4755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 4755
# amanda
/usr/sbin/amcheck root:amanda 4750
/usr/lib/amanda/calcsize root:amanda 4750
/usr/lib/amanda/rundump root:amanda 4750
/usr/lib/amanda/planner root:amanda 4750
/usr/lib/amanda/runtar root:amanda 4750
/usr/lib/amanda/dumper root:amanda 4750
/usr/lib/amanda/killpgrp root:amanda 4750
# gnats
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
# news (inn)
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/startinnfeed root:news 4554
/usr/lib/news/bin/inndstart root:news 4554
/usr/lib/news/bin/inews news:news 2555
# sendfax
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711
/var/spool/fax/outgoing/ fax:root 1755
/var/spool/fax/outgoing/locks fax:root 0777
# uucp
/var/spool/uucppublic/ root:root 1777
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
# games of all kinds, toys
# bsd-games
/usr/games/atc games:games 2755
/usr/games/battlestar games:games 2755
/usr/games/canfield games:games 2755
/usr/games/cribbage games:games 2755
/usr/games/phantasia games:games 2755
/usr/games/robots games:games 2755
/usr/games/sail games:games 2755
/usr/games/snake games:games 2755
/usr/games/tetris-bsd games:games 2755
# Maelstrom
/usr/games/Maelstrom games:games 2755
# pachi
/usr/games/pachi games:games 2755
/usr/games/martian games:games 2755
# nethack
/usr/lib/nethack/nethack.tty games:games 2755
# chromium,
/usr/games/chromium games:games 2755
# xscrabble
/usr/games/xscrab games:games 2755
# trackballs
/usr/games/trackballs games:games 2755
# ltris
/usr/games/ltris games:games 2755
# xlogical
/usr/games/xlogical games:games 2755
# lbreakout
/usr/games/lbreakout2 games:games 2755
# xgalaga
/usr/bin/xgalaga games:games 2755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 2755
# gnome-games
/usr/bin/glines games:games 2755
/usr/bin/gnibbles games:games 2755
/usr/bin/gnobots2 games:games 2755
/usr/bin/gnometris games:games 2755
/usr/bin/gnomine games:games 2755
/usr/bin/gnotravex games:games 2755
/usr/bin/gnotski games:games 2755
/usr/bin/gtali games:games 2755
/usr/bin/mahjongg games:games 2755
/usr/bin/same-gnome games:games 2755
# zypp (#385207)
/usr/sbin/zypp-refresh-wrapper root:root 4755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 4755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 4750
/usr/lib/virtualbox/VirtualBox3 root:vboxusers 4750
/usr/lib/virtualbox/VBoxBFE root:vboxusers 4750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 4750
/usr/lib/virtualbox/VBoxSDL root:vboxusers 4750
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 4755
@ -1,32 +0,0 @@
# /etc/permissions.local
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
# In particular, this file will not be touched during an upgrade of the
# SuSE Linux installation. It is designed to be a placeholder for local
# additions by the administrator of the system to reflect filemodes
# of locally installed packages or to override file permissions as
# shipped with the distribution.
# Format:
# <file> <owner>:<group> <permission>
# Please see the file /etc/permissions for general usage hints of the
# /etc/permissions* files.
# Keep in mind that this file (/etc/permissions.local) is being used by
# default by SuSEconfig, the shell script that is used by yast and yast2
# after package installation and configuration changes to make the changes
# effective for the respective packages (eg generating the "real"
# configuration files).
# Always check if there are no conflicts between your "local" changes here
# and the settings in the other permissions files by calling
# "SuSEconfig" as root!
# Please remember that logfiles might be modified by the logfile
# rotation facilities (e.g. logrotate) so settings entered here might
# be overridden.
# This file needs to end with a newline.
# example:
#/usr/bin/sperl5.8.8 root:root 4755
@ -1,431 +0,0 @@
# /etc/permissions.paranoid
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
# Author: Roman Drahtmueller <>, 2001
# See /etc/permissions for general hints on how to use this file.
# /etc/permissions.paranoid is NOT designed to be used in a single-user as
# well as a multi-user installation, be it networked or not.
# Derived from /etc/, it has _all_ sgid and suid bits
# cleared - therefore, the system might be useable for non-privileged users
# except for simple tasks like changing passwords and such. In addition,
# some of the configuration files are not readable for world any more.
# Feel free to use this file as a basis of a system configuration that meets
# your understanding of "secure", for the case that you're a bit paranoid.
# Since there is no such thing as "it works" with this configuration, please
# use these settings with care. Some experience on behalf of the administrator
# is needed to have a system running flawlessly when users are present.
# In particular, all terminal emulators will not be able to write to utmp
# and wtmp any more, which renders who(1) and finger(1) useless.
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
# Directories
# no lock files for emacs:
/var/lib/xemacs/lock/ root:trusted 1775
# for screen's session sockets:
/var/run/uscreens/ root:trusted 1775
# /etc
/etc/crontab root:root 600
/etc/exports root:root 600
/etc/fstab root:root 600
/etc/ftpaccess root:root 600
/etc/ftpusers root:root 600
/etc/inetd.conf root:root 600
/etc/inittab root:root 600
/etc/mtab root:root 600
/etc/rmtab root:root 600
/var/lib/nfs/rmtab root:root 600
/etc/syslog.conf root:root 600
# suid system programs that need the suid bit to work:
/bin/su root:root 0755
# disable at and cron for non-root users
/usr/bin/at root:trusted 0755
/usr/bin/crontab root:trusted 0755
/usr/bin/gpasswd root:shadow 0755
/usr/bin/newgrp root:root 0755
/usr/bin/passwd root:shadow 0755
/usr/bin/chfn root:shadow 0755
/usr/bin/chage root:shadow 0755
/usr/bin/chsh root:shadow 0755
/usr/bin/expiry root:shadow 0755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 0755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 0755
/usr/bin/opiesu root:root 0755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 0755
/usr/bin/ncpumount root:trusted 0755
# #331020
/sbin/mount.nfs root:root 0755
# mount/umount have had their problems already:
/bin/mount root:root 0755
/bin/umount root:root 0755
/bin/eject root:audio 0755
# #133657
/usr/bin/fusermount root:trusted 0755
# #66203
/usr/lib/majordomo/wrapper root:daemon 0755
# glibc backwards compatibility
/usr/lib/pt_chown root:root 0755
/usr/lib64/pt_chown root:root 0755
# needs setuid root when using shadow via NIS:
# #216816
/sbin/unix_chkpwd root:shadow 0755
/sbin/unix2_chkpwd root:shadow 0755
# qpopper
/usr/sbin/popauth pop:trusted 0755
# from the squid package
/usr/sbin/pam_auth root:shadow 0755
# still to be converted to utempter
/usr/lib/vte/gnome-pty-helper root:tty 0755
# mixed section: most of it is disabled in this
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 700
/usr/src/packages/BUILD/ root:root 700
/usr/src/packages/RPMS/ root:root 700
/usr/src/packages/RPMS/alpha/ root:root 700
/usr/src/packages/RPMS/alphaev56/ root:root 700
/usr/src/packages/RPMS/alphaev67/ root:root 700
/usr/src/packages/RPMS/alphaev6/ root:root 700
/usr/src/packages/RPMS/arm4l/ root:root 700
/usr/src/packages/RPMS/athlon/ root:root 700
/usr/src/packages/RPMS/i386/ root:root 700
/usr/src/packages/RPMS/i486/ root:root 700
/usr/src/packages/RPMS/i586/ root:root 700
/usr/src/packages/RPMS/i686/ root:root 700
/usr/src/packages/RPMS/ia64/ root:root 700
/usr/src/packages/RPMS/mips/ root:root 700
/usr/src/packages/RPMS/ppc/ root:root 700
/usr/src/packages/RPMS/ppc64/ root:root 700
/usr/src/packages/RPMS/powerpc/ root:root 700
/usr/src/packages/RPMS/powerpc64/ root:root 700
/usr/src/packages/RPMS/s390/ root:root 700
/usr/src/packages/RPMS/s390x/ root:root 700
/usr/src/packages/RPMS/sparc/ root:root 700
/usr/src/packages/RPMS/sparcv9/ root:root 700
/usr/src/packages/RPMS/sparc64/ root:root 700
/usr/src/packages/RPMS/x86_64/ root:root 700
/usr/src/packages/RPMS/armv4l/ root:root 700
/usr/src/packages/RPMS/hppa/ root:root 700
/usr/src/packages/RPMS/hppa2.0/ root:root 700
/usr/src/packages/RPMS/noarch/ root:root 700
/usr/src/packages/SPECS/ root:root 700
/usr/src/packages/SRPMS/ root:root 700
# video
/usr/bin/v4l-conf root:video 0755
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 0755
# scotty:
# #66211
/usr/bin/ntping root:trusted 0755
# This is not extensively tested.
/usr/bin/vlock root:shadow 0755
/usr/bin/Xorg root:root 0711
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd
/usr/bin/makeweb root:www 0750
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root:uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root:trusted 0750
/usr/bin/ncplogin root:trusted 0750
/usr/bin/ncpmap root:trusted 0750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 0755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 0755
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:trusted 0755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 0755
/usr/lib/mailman/cgi-bin/admindb root:mailman 0755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 0755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 0755
/usr/lib/mailman/cgi-bin/options root:mailman 0755
/usr/lib/mailman/cgi-bin/private root:mailman 0755
/usr/lib/mailman/cgi-bin/roster root:mailman 0755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 0755
/usr/lib/mailman/cgi-bin/confirm root:mailman 0755
/usr/lib/mailman/cgi-bin/create root:mailman 0755
/usr/lib/mailman/cgi-bin/editarch root:mailman 0755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 0755
/usr/lib/mailman/mail/mailman root:mailman 0755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 0755
# control-center2 (#104993)
/usr/sbin/change-passwd root:root 0755
# cups (#66305,#406058)
/usr/bin/lppasswd lp:lp 0755
# smb printing with kerberos authentication (#177114)
/usr/bin/get_printing_ticket root:lp 0755
# networking (need root for the privileged socket)
/bin/ping root:root 0755
/bin/ping6 root:root 0755
/usr/sbin/traceroute6 root:root 0755
# mtr is linked against ncurses.
/usr/sbin/mtr root:dialout 0755
/usr/bin/rcp root:root 0755
/usr/bin/rlogin root:root 0755
/usr/bin/rsh root:root 0755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 0555
# exim
/usr/sbin/exim root:root 0755
# dialup networking programs
/usr/sbin/pppoe-wrapper root:dialout 0750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 0750
# #66111
/usr/bin/vboxbeep root:trusted 0755
# linux text console utilities
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# framebuffer terminal emulator (japanese).
/usr/bin/jfbterm root:tty 0755
# kde
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 0755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 0755
/usr/lib/kde4/libexec/kcheckpass root:shadow 0755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 0755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 0755
/usr/lib/kde4/libexec/kdesud root:nogroup 0755
/usr/lib64/kde4/libexec/kdesud root:nogroup 0755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 0755
# used to distract the oom killer
# #203535
/opt/kde3/bin/start_kdeinit root:root 0755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 0755
/usr/lib64/kde4/libexec/start_kdeinit root:root 0755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 0755
# amanda
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750
# gnats
/usr/lib/gnats/gen-index gnats:root 0555
/usr/lib/gnats/pr-edit gnats:root 0555
/usr/lib/gnats/queue-pr gnats:root 0555
# news (inn)
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
/usr/lib/news/bin/rnews news:uucp 0555
/usr/lib/news/bin/startinnfeed root:news 0555
/usr/lib/news/bin/inndstart root:news 0555
/usr/lib/news/bin/inews news:news 0555
# sendfax
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 0711
/var/spool/fax/outgoing/ fax:trusted 1770
/var/spool/fax/outgoing/locks fax:trusted 1770
# uucp
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 0555
/usr/bin/uuname uucp:uucp 0555
/usr/bin/uustat uucp:uucp 0555
/usr/bin/uux uucp:uucp 0555
/usr/lib/uucp/uucico uucp:uucp 0555
/usr/lib/uucp/uuxqt uucp:uucp 0555
# games of all kinds, toys
# bsd-games
/usr/games/atc games:games 0755
/usr/games/battlestar games:games 0755
/usr/games/canfield games:games 0755
/usr/games/cribbage games:games 0755
/usr/games/phantasia games:games 0755
/usr/games/robots games:games 0755
/usr/games/sail games:games 0755
/usr/games/snake games:games 0755
/usr/games/tetris-bsd games:games 0755
# Maelstrom
/usr/games/Maelstrom games:games 0755
# pachi
/usr/games/pachi games:games 0755
/usr/games/martian games:games 0755
# nethack
/usr/lib/nethack/nethack.tty games:games 0755
# chromium,
/usr/games/chromium games:games 0755
# xscrabble
/usr/games/xscrab games:games 0755
# trackballs
/usr/games/trackballs games:games 0755
# ltris
/usr/games/ltris games:games 0755
# xlogical
/usr/games/xlogical games:games 0755
# lbreakout
/usr/games/lbreakout2 games:games 0755
# xgalaga
/usr/bin/xgalaga games:games 0755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 0755
# gnome-games
/usr/bin/glines games:games 0755
/usr/bin/gnibbles games:games 0755
/usr/bin/gnobots2 games:games 0755
/usr/bin/gnometris games:games 0755
/usr/bin/gnomine games:games 0755
/usr/bin/gnotravex games:games 0755
/usr/bin/gnotski games:games 0755
/usr/bin/gtali games:games 0755
/usr/bin/mahjongg games:games 0755
/usr/bin/same-gnome games:games 0755
# zypp (#385207)
/usr/sbin/zypp-refresh-wrapper root:root 0755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 0755
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 0755
/usr/bin/pkexec root:root 0755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755
/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755
@ -1,456 +0,0 @@
# /etc/
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
# Author: Roman Drahtmueller <>, 2001
# See /etc/permissions for general hints on how to use this file.
# /etc/ is designed for the use in a multi-user and
# networked installation. Most privileged file modes are disabled here.
# Many programs that still have their suid- or sgid-modes have had their
# security problems in the past already.
# The primary target of this configuration is to make the basic things
# such as changing passwords, the basic networking programs as well as
# some of the all-day work programs properly function for the unprivileged
# user. The dial-out packages are executable for users belonging to the
# "dialout" group - therefore, these users are to be treated "privileged".
# Packages such as (remote-) batch queueing systems, games, programs for
# the linux text console, everything linked against OOP libraries and
# most other exotic utilities are turned into unprivileged binary files
# in order for them not to cause any security problems if one or more of
# the programs turn out to have buffer overruns or otherwise locally
# exploitable programming errors.
# This file is not designed to make your system as closed and as restrictive
# as at all possible. In many cases, restricted access to a configuration
# file is of no use since the data used can be obtained from the /proc file
# system or interface configuration as well. Also, system programs such as
# /sbin/ifconfig or /sbin/route are not changed because nosey users can
# bring their own. "Security by obscurity" will add any significant
# security-related advantage to the system. Keep in mind that curiosity
# is a major motivation for your users to try to see behind the curtain.
# If you need the functionality of a program that usually runs as a
# privileged user, then use it as root, or, if you are not root, ask your
# system administrator for advice. In many cases, adding a user to the
# "trusted" group gives her access to the resources that are not accessible
# any more if the admin chose to select "secure" as the permissions default.
# Please make use of the diff program to see the differences between the
# permissions.easy and files if things don't work as
# they should and you suspect a permission or privilege problem.
# The word "easy" is a reference for the /etc/permissions.easy file.
# As usual, these settings are "suggested". If you feel so inclined,
# please feel free to change the modes in this files, but keep a log
# of your changes for future reference.
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
# Directories
# no lock files for emacs:
/var/lib/xemacs/lock/ root:trusted 1775
# for screen's session sockets:
/var/run/uscreens/ root:root 1777
# /etc
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 644
/etc/ftpaccess root:root 644
/etc/ftpusers root:root 644
/etc/inetd.conf root:root 644
/etc/inittab root:root 644
/etc/mtab root:root 644
/etc/rmtab root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
# suid system programs that need the suid bit to work:
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 4755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 4755
/usr/bin/opiesu root:root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 4750
/usr/bin/ncpumount root:trusted 4750
# #331020
/sbin/mount.nfs root:root 0755
# mount/umount have had their problems already:
/bin/mount root:root 4755
/bin/umount root:root 4755
/bin/eject root:audio 4750
# #133657
/usr/bin/fusermount root:trusted 4750
# #66203
/usr/lib/majordomo/wrapper root:daemon 4750
# glibc backwards compatibility
/usr/lib/pt_chown root:root 4755
/usr/lib64/pt_chown root:root 4755
# needs setuid root when using shadow via NIS:
# #216816
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755
# qpopper
/usr/sbin/popauth pop:trusted 4750
# from the squid package
/usr/sbin/pam_auth root:shadow 4755
# still to be converted to utempter
/usr/lib/vte/gnome-pty-helper root:tty 2755
# mixed section: most of it is disabled in this
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 755
/usr/src/packages/BUILD/ root:root 755
/usr/src/packages/RPMS/ root:root 755
/usr/src/packages/RPMS/alpha/ root:root 755
/usr/src/packages/RPMS/alphaev56/ root:root 755
/usr/src/packages/RPMS/alphaev67/ root:root 755
/usr/src/packages/RPMS/alphaev6/ root:root 755
/usr/src/packages/RPMS/arm4l/ root:root 755
/usr/src/packages/RPMS/athlon/ root:root 755
/usr/src/packages/RPMS/i386/ root:root 755
/usr/src/packages/RPMS/i486/ root:root 755
/usr/src/packages/RPMS/i586/ root:root 755
/usr/src/packages/RPMS/i686/ root:root 755
/usr/src/packages/RPMS/ia64/ root:root 755
/usr/src/packages/RPMS/mips/ root:root 755
/usr/src/packages/RPMS/ppc/ root:root 755
/usr/src/packages/RPMS/ppc64/ root:root 755
/usr/src/packages/RPMS/powerpc/ root:root 755
/usr/src/packages/RPMS/powerpc64/ root:root 755
/usr/src/packages/RPMS/s390/ root:root 755
/usr/src/packages/RPMS/s390x/ root:root 755
/usr/src/packages/RPMS/sparc/ root:root 755
/usr/src/packages/RPMS/sparcv9/ root:root 755
/usr/src/packages/RPMS/sparc64/ root:root 755
/usr/src/packages/RPMS/x86_64/ root:root 755
/usr/src/packages/RPMS/armv4l/ root:root 755
/usr/src/packages/RPMS/hppa/ root:root 755
/usr/src/packages/RPMS/hppa2.0/ root:root 755
/usr/src/packages/RPMS/noarch/ root:root 755
/usr/src/packages/SPECS/ root:root 755
/usr/src/packages/SRPMS/ root:root 755
# video
/usr/bin/v4l-conf root:video 4750
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 0755
# scotty:
# #66211
/usr/bin/ntping root:trusted 4750
# This is not extensively tested.
/usr/bin/vlock root:shadow 0755
/usr/bin/Xorg root:root 0711
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root:uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root:trusted 4750
/usr/bin/ncplogin root:trusted 4750
/usr/bin/ncpmap root:trusted 4750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 4755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:trusted 4750
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
# control-center2 (#104993)
/usr/sbin/change-passwd root:root 4755
# cups (#66305,#406058)
/usr/bin/lppasswd lp:lp 2755
# smb printing with kerberos authentication (#177114)
/usr/bin/get_printing_ticket root:lp 4750
# networking (need root for the privileged socket)
/bin/ping root:root 4755
/bin/ping6 root:root 4755
/usr/sbin/traceroute6 root:root 4755
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0755
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 2555
# exim
/usr/sbin/exim root:root 4755
# dialup networking programs
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755
# linux text console utilities
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755
# kde
# (all of them are disabled in except for
# the helper programs)
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 0755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 2755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 0755
# used to distract the oom killer
# #203535
/opt/kde3/bin/start_kdeinit root:root 4755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 0755
# amanda
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750
# gnats
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
# news (inn)
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/startinnfeed root:news 4554
/usr/lib/news/bin/inndstart root:news 4554
/usr/lib/news/bin/inews news:news 2555
# sendfax
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711
/var/spool/fax/outgoing/ fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755
# uucp
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
# games of all kinds, toys
# all suid and sgid bits cleared.
# bsd-games
/usr/games/atc games:games 0755
/usr/games/battlestar games:games 0755
/usr/games/canfield games:games 0755
/usr/games/cribbage games:games 0755
/usr/games/phantasia games:games 0755
/usr/games/robots games:games 0755
/usr/games/sail games:games 0755
/usr/games/snake games:games 0755
/usr/games/tetris-bsd games:games 0755
# Maelstrom
/usr/games/Maelstrom games:games 0755
# pachi
/usr/games/pachi games:games 0755
/usr/games/martian games:games 0755
# nethack
/usr/lib/nethack/nethack.tty games:games 0755
# chromium,
/usr/games/chromium games:games 0755
# xscrabble
/usr/games/xscrab games:games 0755
# trackballs
/usr/games/trackballs games:games 0755
# ltris
/usr/games/ltris games:games 0755
# xlogical
/usr/games/xlogical games:games 0755
# lbreakout
/usr/games/lbreakout2 games:games 0755
# xgalaga
/usr/bin/xgalaga games:games 0755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 0755
# gnome-games
/usr/bin/glines games:games 0755
/usr/bin/gnibbles games:games 0755
/usr/bin/gnobots2 games:games 0755
/usr/bin/gnometris games:games 0755
/usr/bin/gnomine games:games 0755
/usr/bin/gnotravex games:games 0755
/usr/bin/gnotski games:games 0755
/usr/bin/gtali games:games 0755
/usr/bin/mahjongg games:games 0755
/usr/bin/same-gnome games:games 0755
# zypp (#385207)
/usr/sbin/zypp-refresh-wrapper root:root 0755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755
/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755
@ -1,5 +1,5 @@
# spec file for package permissions (Version 2009.8.13)
# spec file for package permissions (Version 2009.08.24.1152)
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
@ -16,30 +16,22 @@
# norootforbuild
# icecream 0
Name: permissions
License: GPL v2 or later
Group: Productivity/Security
AutoReqProv: on
Version: 2009.8.13
Version: 2009.08.24.1152
Release: 1
Provides: aaa_base:/etc/permissions
Requires: /sbin/SuSEconfig
PreReq: %fillup_prereq
Summary: SUSE Linux Default Permissions
#Source: permissions.tar.bz2
Source1: SuSEconfig.permissions
Source2: chkstat.c
Source3: chkstat.8
Source5: permissions
Source6: permissions.easy
Source7: permissions.paranoid
Source9: permissions.local
Source: permissions-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-build
This package contains specifications for permissions of specific files,
@ -51,39 +43,29 @@ local security setting (easy, secure, or paranoid) can be configured in
Werner Fink <>
Roman Drahtmüller <>
Werner Fink
Roman Drahtmüller
Michael Schröder
Ludwig Nussel
%setup -q
gcc -Wall $RPM_OPT_FLAGS %{SOURCE2} -o chkstat
mkdir -p $RPM_BUILD_ROOT/etc
mkdir -p $RPM_BUILD_ROOT%{_bindir}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/sbin/conf.d
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 755 chkstat $RPM_BUILD_ROOT%{_bindir}
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/sbin/conf.d
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT/etc
make DESTDIR="$RPM_BUILD_ROOT" install
%{fillup_only -n security}
%config /etc/permissions
%config /etc/permissions.easy
%config /etc/
%config /etc/permissions.paranoid
%config(noreplace) /etc/permissions.local
@ -1,25 +0,0 @@
## Path: System/Security/Permissions
## Description: Configuration of permissions on the system
## Type: list(set,warn,no)
## Default: set
## Config: permissions
# SuSEconfig can call chkstat to check permissions and ownerships for
# files and directories (using /etc/permissions).
# Setting to "set" will correct it, "warn" produces warnings, if
# something strange is found. Disable this feature with "no".
## Type: string
## Default: "easy local"
# SuSE Linux contains two different configurations for
# chkstat. The differences can be found in /etc/
# and /etc/permissions.easy. If you create your own configuration
# (e.g., you can enter the extension here as well.
# (easy/secure local foo whateveryouwant).
Reference in New Issue
Block a user