diff --git a/SuSEconfig.permissions b/SuSEconfig.permissions deleted file mode 100644 index fa604d1..0000000 --- a/SuSEconfig.permissions +++ /dev/null @@ -1,86 +0,0 @@ -#! /bin/bash -# This module checks and sets file permissions -# Copyright (C) 1996-2007 SUSE Linux Products GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Author: Burchard Steinbild, 1996-97 -# Bernhard Kaindl , 1999 -# Rüdiger Oertel , 2000-01 -# Ludwig Nussel 2007 -# - -. /lib/YaST/SuSEconfig.functions || exit 1 - -for i in /etc/sysconfig/security /etc/sysconfig/suseconfig ; do - . $i || exit 1 -done - -if test -n "$ENABLE_SUSECONFIG" -a "$ENABLE_SUSECONFIG" = "no" ; then - echo "SuSEconfig is disabled in /etc/sysconfig/suseconfig" - exit 0 -fi - -mode="" -case "$CHECK_PERMISSIONS" in - set) mode="-set" ;; - warn) ;; - no|"") exit 0 ;; - *) echo "invalid value '$CHECK_PERMISSIONS' for \$CHECK_PERMISSIONS" >&2 ;; -esac - - - -# collect files that contain permission specifications -# -# 1. central fixed permissions file -files="/etc/permissions" - -# 2. central easy, secure paranoid as those are defined by SUSE -for level in $PERMISSION_SECURITY; do - case "$level" in - easy|secure|paranoid) - if [ -e /etc/permissions.$level ]; then - files="$files /etc/permissions.$level" - fi - ;; - esac -done - -# 3. package specific permissions -pkgfiles=(/etc/permissions.d/*) -pkgfiles=(${pkgfiles[*]##*/}) -pkgfiles=(${pkgfiles[*]%%.*}) -pkgfiles=(`for i in ${pkgfiles[@]}; do echo $i; done | /usr/bin/sort -u`) - -for file in ${pkgfiles[@]}; do - file=/etc/permissions.d/$file - [ -e $file ] && files="$files $file" - for level in $PERMISSION_SECURITY; do - [ -e $file.$level ] && files="$files $file.$level" - done -done - -# 4. central permissions files with user defined level incl 'local' -for level in $PERMISSION_SECURITY; do - case "$level" in - easy|secure|paranoid) continue ;; - esac - if [ -e /etc/permissions.$level ]; then - files="$files /etc/permissions.$level" - fi -done - -/usr/bin/chkstat $mode $files diff --git a/checkpermissionfiles.pl b/checkpermissionfiles.pl deleted file mode 100644 index bbd5833..0000000 --- a/checkpermissionfiles.pl +++ /dev/null @@ -1,198 +0,0 @@ -#!/usr/bin/perl -w -# perform some consistency checks on permission files - -use Getopt::Long; - -use strict; - -use Data::Dumper; -use File::Basename; - -my @deflevels = ('easy', 'secure', 'paranoid'); - -my @defpermfiles = ('permissions', 'permissions.easy', 'permissions.secure', 'permissions.paranoid'); - -# filename -# - level (DEFAULT, easy, secure, paranoid) -# - owner -# - mode -my %perms; - -my($nodups, $checkmissing, $defonly, $showsuid, $showsgid, $showww, $showgw, - $show, @levels, $showsame, $dump, @permfiles, $help, $checkdirs); - -Getopt::Long::Configure("no_ignore_case"); -GetOptions ( - "nodups" => \$nodups, - "missing" => \$checkmissing, - "defonly" => \$defonly, - "show" => \$show, - "suid" => \$showsuid, - "sgid" => \$showsgid, - "ww" => \$showww, - "gw" => \$showgw, - "same" => \$showsame, - "level=s" => \@levels, - "dump" => \$dump, - "checkdirs=s" => \$checkdirs, - "help" => \$help, - ); - -if($help) -{ -print <) - { - chomp; - s/#.*//; - next if(/^$/); - - my ($file, $owner, $mode) = split(/\s+/); - - if(!$nodups && exists($perms{$file}{$level})) - { - print STDERR "$permfile:$. File listed twice: $file already in $level\n"; - } - else - { - $perms{$file}{$level}{'owner'} = $owner; - $perms{$file}{$level}{'mode'} = $mode; - } - - if($checkdirs) - { - if(! -e $checkdirs.$file) - { - #print STDERR "$permfile:$.: can't check $file\n"; - } - elsif(-d $checkdirs.$file && oct($mode)&020 && !(oct($mode)&01000)) - { - print STDERR "$permfile:$.: $file group writeable but not sticky\n" - } - } - } - - close(FH); -} - -my ($file, $owner, $mode, $level); - -format FORMATTED = -@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<< @>>>> (@*) -$file, $owner, $mode, $level -. - -open FORMATTED, ">&STDOUT"; - -$checkmissing = 1 unless ($show || $showsuid || $showsgid || $showww || $showgw || $dump || $showsame); - -foreach $file (sort keys %perms) -{ - - next if($defonly && !exists($perms{$file}{'DEFAULT'})); - - { - my @l = ('DEFAULT'); - - push @l, @levels unless $defonly; - - my ($om, $modechanged, $numseen); - $numseen = 0; - for $level (@l) - { - next unless exists $perms{$file}{$level}; - ++$numseen; - $mode = $perms{$file}{$level}{'mode'}; - $om = oct($mode) unless $om; - $modechanged = 1 if($om != oct($mode)); - $owner = $perms{$file}{$level}{'owner'}; - next if( - ($showsuid && !(oct($mode) & 04000)) || - ($showsgid && !(oct($mode) & 02000)) || - ($showww && !(oct($mode) & 0002)) || - ($showgw && !(oct($mode) & 0020)) - ); - write FORMATTED if ($show); - } - - if($numseen > 3) - { - print STDERR "Suspicious: $file in >3 levels\n"; - } - - if($showsame && $numseen > 1 && !$modechanged) - { - print STDERR "Useless: $file\n"; - } - } - - if($checkmissing) - { - my $msg = ''; - - - if(!exists($perms{$file}{'DEFAULT'})) - { - for $level (@levels) - { - if(!exists($perms{$file}{$level})) - { - $msg .= " not in $level\n"; - } - } - } - - if(length $msg) - { - print STDERR "$file:\n$msg\n"; - } - } -} - -close FORMATTED; - -print Dumper(\%perms) if($dump); - -# vim: sw=4 diff --git a/chkstat.8 b/chkstat.8 deleted file mode 100644 index b3f9d2f..0000000 --- a/chkstat.8 +++ /dev/null @@ -1,78 +0,0 @@ -.\" -.\" SUSE man page for chkstat -.\" -.\" Author: Ruediger Oertel -.\" -.TH CHKSTAT 8 "2008-04-17" "SUSE Linux" "Tool to check and set file permissions" -.\" -.UC 8 -.SH NAME -.\" -chkstat \- Tool to check and set file permissions -.SH SYNOPSIS -.\" -.B chkstat -.RB \|[\| \-\-set|\-set ] -.RB \|[\| \-\-noheader ] -.RB \|[\|\|[\| \-\-examine\ file\ ] ... ] -.RB \|[\|\|[\| \-\-files\ filelist\ ] ... ] -.RB \|[\|\|[\| \-\-root\ directory\ ] ... ] -.B permission-file ... -.\" -.SH DESCRIPTION -The program -.I /usr/bin/chkstat -is a tool to check and set file permissions. -.PP -Multiple permissions files can be given on the commandline. -If the permission files contain multiple entries for a single -file, the last entry found will be used. -.PP -.\" -.SS General Options -.TP -.IR \-\-set ,\ \-set -This option enables setting the file permissions, -the default is to check and warn only. -.TP -.IR \-\-noheader -Omit printing the output header lines. -.TP -.IR \-\-examine\ file -Check permissions for this file and not all files listed in the permissions files. -.TP -.IR \-\-files\ filelist -Check permissions for the files listed in -.IR filelist -and not for all files listed in the permissions files. -.TP -.IR \-\-root\ directory -Prefix the files given in the permissions files by this directory. -.PP -.SH EXAMPLE -.PP -The command -.PP -.RS -.B chkstat -set /etc/permissions -.RE -.PP -will parse the file /etc/permissions and set the access mode and the -user- and group memberships each file listed. The format -for the input file is -.PP -.B FILEPATH -.B OWNER:GROUP -.B MODE -.PP -and wildcards are not supported for the filepath. Lines starting -with '#' and empty lines are treated as comments. -.SH COPYRIGHT -1996-2003 SuSE Linux AG, Nuernberg, Germany. - -2008 SUSE LINUX Products GmbH -.SH AUTHORS -Reinhold Sojer, Ruediger Oertel, Michael Schroeder -.PP -Useful changes and additions by Tobias Burnus - diff --git a/chkstat.c b/chkstat.c deleted file mode 100644 index 9e19602..0000000 --- a/chkstat.c +++ /dev/null @@ -1,591 +0,0 @@ -/* Copyright (c) 2004 SuSE Linux AG - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING); if not, write to the - * Free Software Foundation, Inc., - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - * - **************************************************************** - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#define __USE_GNU -#include - - -struct perm { - struct perm *next; - char *file; - char *owner; - char *group; - mode_t mode; -}; - -struct perm *permlist; -char **checklist; -int nchecklist; -uid_t euid; -char *root; -int rootl; - -void -add_permlist(char *file, char *owner, char *group, mode_t mode) -{ - struct perm *ec, **epp; - - owner = strdup(owner); - group = strdup(group); - if (rootl) - { - char *nfile; - nfile = malloc(strlen(file) + rootl + (*file != '/' ? 2 : 1)); - if (nfile) - { - strcpy(nfile, root); - if (*file != '/') - strcat(nfile, "/"); - strcat(nfile, file); - } - file = nfile; - } - else - file = strdup(file); - if (!owner || !group || !file) - { - perror("permlist entry alloc"); - exit(1); - } - for (epp = &permlist; (ec = *epp) != 0; ) - if (!strcmp(ec->file, file)) - { - *epp = ec->next; - free(ec->file); - free(ec->owner); - free(ec->group); - free(ec); - } - else - epp = &ec->next; - ec = malloc(sizeof(struct perm)); - if (ec == 0) - { - perror("permlist entry alloc"); - exit(1); - } - ec->file = file; - ec->owner = owner; - ec->group = group; - ec->mode = mode; - ec->next = 0; - *epp = ec; -} - -int -in_checklist(char *e) -{ - int i; - for (i = 0; i < nchecklist; i++) - if (!strcmp(e, checklist[i])) - return 1; - return 0; -} - -void -add_checklist(char *e) -{ - if (in_checklist(e)) - return; - e = strdup(e); - if (e == 0) - { - perror("checklist entry alloc"); - exit(1); - } - if ((nchecklist & 63) == 0) - { - if (checklist == 0) - checklist = malloc(sizeof(char *) * (nchecklist + 64)); - else - checklist = realloc(checklist, sizeof(char *) * (nchecklist + 64)); - if (checklist == 0) - { - perror("checklist alloc"); - exit(1); - } - } - checklist[nchecklist++] = e; -} - -int -readline(FILE *fp, char *buf, int len) -{ - int l; - if (!fgets(buf, len, fp)) - return 0; - l = strlen(buf); - if (l && buf[l - 1] == '\n') - { - l--; - buf[l] = 0; - } - if (l + 1 < len) - return 1; - fprintf(stderr, "warning: buffer overrun in line starting with '%s'\n", buf); - while ((l = getc(fp)) != EOF && l != '\n') - ; - buf[0] = 0; - return 1; -} - -void -usage(int x) -{ - fprintf(stderr, "Usage: chkstat [--set] [--noheader] [[--examine file] ...] [ [--files filelist] ...] permission-file ...\n"); - exit(x); -} - -int -safepath(char *path, uid_t uid, gid_t gid) -{ - struct stat stb; - char pathbuf[1024]; - char linkbuf[1024]; - char *p, *p2; - int l, l2, lcnt; - - lcnt = 0; - l2 = strlen(path); - if (l2 >= sizeof(pathbuf)) - return 0; - strcpy(pathbuf, path); - if (pathbuf[0] != '/') - return 0; - p = pathbuf + rootl; - for (;;) - { - p = strchr(p, '/'); - if (!p) - return 1; - *p = 0; - if (lstat(*pathbuf ? pathbuf : "/", &stb)) - return 0; - if (S_ISLNK(stb.st_mode)) - { - if (++lcnt >= 256) - return 0; - l = readlink(pathbuf, linkbuf, sizeof(linkbuf)); - if (l <= 0 || l >= sizeof(linkbuf)) - return 0; - while(l && linkbuf[l - 1] == '/') - l--; - if (l + 1 >= sizeof(linkbuf)) - return 0; - linkbuf[l++] = '/'; - linkbuf[l] = 0; - *p++ = '/'; - if (linkbuf[0] == '/') - { - if (rootl) - { - p[-1] = 0; - fprintf(stderr, "can't handle symlink %s at the moment\n", pathbuf); - return 0; - } - l2 -= (p - pathbuf); - memmove(pathbuf + rootl, p, l2 + 1); - l2 += rootl; - p = pathbuf + rootl; - } - else - { - if (p - 1 == pathbuf) - return 0; /* huh, "/" is a symlink */ - for (p2 = p - 2; p2 >= pathbuf; p2--) - if (*p2 == '/') - break; - if (p2 < pathbuf + rootl) /* cannot happen */ - return 0; - p2++; /* am now after '/' */ - memmove(p2, p, pathbuf + l2 - p + 1); - l2 -= (p - p2); - p = p2; - } - if (l + l2 >= sizeof(pathbuf)) - return 0; - memmove(p + l, p, pathbuf + l2 - p + 1); - memmove(p, linkbuf, l); - l2 += l; - if (pathbuf[0] != '/') /* cannot happen */ - return 0; - if (p == pathbuf) - p++; - continue; - } - if (!S_ISDIR(stb.st_mode)) - return 0; - - /* write is always forbidden for other */ - if ((stb.st_mode & 02) != 0) - return 0; - - /* owner must be ok as she may change the mode */ - /* for euid != 0 it is also ok if the owner is euid */ - if (stb.st_uid && stb.st_uid != uid && stb.st_uid != euid) - return 0; - - /* group gid may do fancy things */ - /* for euid != 0 we don't check this */ - if ((stb.st_mode & 020) != 0 && !euid) - if (!gid || stb.st_gid != gid) - return 0; - - *p++ = '/'; - } -} - -int -main(int argc, char **argv) -{ - char *opt, *p; - int set = 0; - int told = 0; - int use_checklist = 0; - FILE *fp; - char line[512]; - char *part[4]; - int i, pcnt, lcnt; - int inpart; - mode_t mode; - struct perm *e; - struct stat stb, stb2; - struct passwd *pwd = 0; - struct group *grp = 0; - uid_t uid; - gid_t gid; - int fd, r; - int errors = 0; - - while (argc > 1) - { - opt = argv[1]; - if (!strcmp(opt, "--")) - break; - if (*opt == '-' && opt[1] == '-') - opt++; - if (!strcmp(opt, "-s") || !strcmp(opt, "-set")) - { - set = 1; - argc--; - argv++; - continue; - } - if (!strcmp(opt, "-n") || !strcmp(opt, "-noheader")) - { - told = 1; - argc--; - argv++; - continue; - } - if (!strcmp(opt, "-e") || !strcmp(opt, "-examine")) - { - argc--; - argv++; - if (argc == 1) - { - fprintf(stderr, "examine: argument required\n"); - exit(1); - } - add_checklist(argv[1]); - use_checklist = 1; - argc--; - argv++; - continue; - } - if (!strcmp(opt, "-f") || !strcmp(opt, "-files")) - { - argc--; - argv++; - if (argc == 1) - { - fprintf(stderr, "files: argument required\n"); - exit(1); - } - if ((fp = fopen(argv[1], "r")) == 0) - { - fprintf(stderr, "files: %s: %s\n", argv[1], strerror(errno)); - exit(1); - } - while (readline(fp, line, sizeof(line))) - { - if (!*line) - continue; - add_checklist(line); - } - fclose(fp); - use_checklist = 1; - argc--; - argv++; - continue; - } - if (!strcmp(opt, "-r") || !strcmp(opt, "-root")) - { - argc--; - argv++; - if (argc == 1) - { - fprintf(stderr, "root: argument required\n"); - exit(1); - } - root = argv[1]; - rootl = strlen(root); - if (*root != '/') - { - fprintf(stderr, "root: must begin with '/'\n"); - exit(1); - } - argc--; - argv++; - continue; - } - if (*opt == '-') - usage(!strcmp(opt, "-h") || !strcmp(opt, "-help") ? 0 : 1); - break; - } - if (argc <= 1) - usage(1); - for (i = 1; i < argc; i++) - { - if ((fp = fopen(argv[i], "r")) == 0) - { - perror(argv[i]); - exit(1); - } - lcnt = 0; - while (readline(fp, line, sizeof(line))) - { - lcnt++; - if (*line == 0 || *line == '#' || *line == '$') - continue; - inpart = 0; - pcnt = 0; - for (p = line; *p; p++) - { - if (*p == ' ' || *p == '\t') - { - *p = 0; - if (inpart) - { - pcnt++; - inpart = 0; - } - continue; - } - if (!inpart) - { - inpart = 1; - if (pcnt == 3) - break; - part[pcnt] = p; - } - } - if (inpart) - pcnt++; - if (pcnt != 3) - { - fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt); - continue; - } - part[3] = part[2]; - part[2] = strchr(part[1], ':'); - if (!part[2]) - part[2] = strchr(part[1], '.'); - if (!part[2]) - { - fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt); - continue; - } - *part[2]++ = 0; - mode = strtoul(part[3], part + 3, 8); - if (mode > 07777 || part[3][0]) - { - fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt); - continue; - } - add_permlist(part[0], part[1], part[2], mode); - } - fclose(fp); - } - - euid = geteuid(); - for (e = permlist; e; e = e->next) - { - if (use_checklist && !in_checklist(e->file)) - continue; - if (lstat(e->file, &stb)) - continue; - if (S_ISLNK(stb.st_mode)) - continue; - if ((!pwd || strcmp(pwd->pw_name, e->owner)) && (pwd = getpwnam(e->owner)) == 0) - { - fprintf(stderr, "%s: unknown user %s\n", e->file, e->owner); - continue; - } - if ((!grp || strcmp(grp->gr_name, e->group)) && (grp = getgrnam(e->group)) == 0) - { - fprintf(stderr, "%s: unknown group %s\n", e->file, e->group); - continue; - } - uid = pwd->pw_uid; - gid = grp->gr_gid; - if ((stb.st_mode & 07777) == e->mode && stb.st_uid == uid && stb.st_gid == gid) - continue; - - if (!told) - { - told = 1; - printf("Checking permissions and ownerships - using the permissions files\n"); - for (i = 1; i < argc; i++) - printf("\t%s\n", argv[i]); - } - - if (!set) - printf("%s should be %s:%s %04o.", e->file, e->owner, e->group, e->mode); - else - printf("setting %s to %s:%s %04o.", e->file, e->owner, e->group, e->mode); - printf(" (wrong"); - if (stb.st_uid != uid || stb.st_gid != gid) - { - pwd = getpwuid(stb.st_uid); - grp = getgrgid(stb.st_gid); - if (pwd) - printf(" owner/group %s", pwd->pw_name); - else - printf(" owner/group %d", stb.st_uid); - if (grp) - printf(":%s", grp->gr_name); - else - printf(":%d", stb.st_gid); - pwd = 0; - grp = 0; - } - if ((stb.st_mode & 07777) != e->mode) - printf(" permissions %04o", (int)(stb.st_mode & 07777)); - putchar(')'); - putchar('\n'); - - if (!set) - continue; - - fd = -1; - if (S_ISDIR(stb.st_mode)) - { - fd = open(e->file, O_RDONLY|O_DIRECTORY|O_NONBLOCK|O_NOFOLLOW); - if (fd == -1) - { - perror(e->file); - errors++; - continue; - } - } - else if (S_ISREG(stb.st_mode)) - { - fd = open(e->file, O_RDONLY|O_NONBLOCK|O_NOFOLLOW); - if (fd == -1) - { - perror(e->file); - errors++; - continue; - } - if (fstat(fd, &stb2)) - continue; - if (stb.st_mode != stb2.st_mode || stb.st_nlink != stb2.st_nlink || stb.st_dev != stb2.st_dev || stb.st_ino != stb2.st_ino) - { - fprintf(stderr, "%s: too fluctuating\n", e->file); - errors++; - continue; - } - if (stb.st_nlink > 1 && !safepath(e->file, 0, 0)) - { - fprintf(stderr, "%s: on an insecure path\n", e->file); - errors++; - continue; - } - else if (e->mode & 06000) - { - /* extra checks for s-bits */ - if (!safepath(e->file, (e->mode & 02000) == 0 ? uid : 0, (e->mode & 04000) == 0 ? gid : 0)) - { - fprintf(stderr, "%s: will not give away s-bits on an insecure path\n", e->file); - errors++; - continue; - } - } - } - else if (strncmp(e->file, "/dev/", 4) != 0) - { - fprintf(stderr, "%s: don't know what to do with that type of file\n", e->file); - errors++; - continue; - } - if (euid == 0 && (stb.st_uid != uid || stb.st_gid != gid)) - { - if (fd >= 0) - r = fchown(fd, uid, gid); - else - r = chown(e->file, uid, gid); - if (r) - { - fprintf(stderr, "%s: chown: %s\n", e->file, strerror(errno)); - errors++; - } - if (fd >= 0) - r = fstat(fd, &stb); - else - r = lstat(e->file, &stb); - if (r) - { - fprintf(stderr, "%s: too fluctuating\n", e->file); - errors++; - continue; - } - } - if ((stb.st_mode & 07777) != e->mode) - { - if (fd >= 0) - r = fchmod(fd, e->mode); - else - r = chmod(e->file, e->mode); - if (r) - { - fprintf(stderr, "%s: chmod: %s\n", e->file, strerror(errno)); - errors++; - } - } - if (fd >= 0) - close(fd); - } - if (errors) - { - fprintf(stderr, "ERROR: not all operations were successful.\n"); - exit(1); - } - exit(0); -} diff --git a/get_version_number.sh b/get_version_number.sh deleted file mode 100644 index 52ed42a..0000000 --- a/get_version_number.sh +++ /dev/null @@ -1 +0,0 @@ -get_date_version_string `find_newest_file *.*` diff --git a/permissions b/permissions deleted file mode 100644 index ed9af6b..0000000 --- a/permissions +++ /dev/null @@ -1,199 +0,0 @@ -# /etc/permissions -# -# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. -# -# Author: Roman Drahtmueller , 2001 -# -# This file is used by SuSEconfig and chkstat to check or set the modes -# and ownerships of files and directories in the installation. -# -# There is a set of files with similar meaning in a SuSE installation: -# /etc/permissions (This file) -# /etc/permissions.easy -# /etc/permissions.secure -# /etc/permissions.paranoid -# /etc/permissions.local -# Please see the respective files for their meaning. -# -# -# Format: -# : -# -# How it works: -# Change the entries as you like, then call -# 'chkstat -set /etc/permissions' or /etc/permissions.{easy,secure,paranoid} -# respectively, or call 'SuSEconfig' as yast do after they think -# that files have been modified in the system. -# -# SuSEconfig will use the files /etc/permissions and the ones ending -# in what the variable PERMISSION_SECURITY from -# /etc/sysconfig/security contains. By default, these are the files -# /etc/permissions, /etc/permissions.easy and /etc/permissions.local -# for local changes by the admin. In addition, the directory -# /etc/permissions.d/ can contain permission files that belong to -# the packages they modify file modes for. These permission files -# are to switch between conflicting file modes of the same file -# paths in different packages (popular example: sendmail and -# postfix, path /usr/sbin/sendmail). -# -# SuSEconfig's usage of the chkstat program can be turned off completely -# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security. -# -# /etc/permissions is kept to the bare minimum. File modes that differ -# from the settings in this file should be considered broken. -# -# Please see the headers of the files -# /etc/permissions.easy -# /etc/permissions.secure -# /etc/permissions.paranoid -# as well as -# /etc/permissions.local -# for more information about their particular meaning and their setup. - -# -# root directories: -# - -/ root:root 755 -/root/ root:root 700 -/tmp/ root:root 1777 -/tmp/.X11-unix/ root:root 1777 -/tmp/.ICE-unix/ root:root 1777 -/dev/ root:root 755 -/bin/ root:root 755 -/sbin/ root:root 755 -/lib/ root:root 755 -/etc/ root:root 755 -/home/ root:root 755 -/boot/ root:root 755 -/opt/ root:root 755 -/usr/ root:root 755 - -# -# /var: -# - -/var/tmp/ root:root 1777 -/var/tmp/vi.recover/ root:root 1777 -/var/log/ root:root 755 -/var/spool/ root:root 755 -/var/spool/mqueue/ root:root 700 -/var/spool/news/ news:news 775 -/var/spool/uucp/ uucp:uucp 755 -/var/spool/voice/ root:root 755 -/var/spool/mail/ root:root 1777 -/var/adm/ root:root 755 -/var/adm/backup/ root:root 700 -/var/cache/ root:root 755 -/var/cache/fonts/ root:root 1777 -/var/cache/man/ man:root 755 -/var/yp/ root:root 755 -/var/run/nscd/socket root:root 666 -/var/run/sudo/ root:root 700 - -# -# log files that do not grow remarkably -# -/var/log/faillog root:root 600 -# This file is not writeable by gid tty so that the information -# therein can be trusted. -/var/log/lastlog root:tty 644 - - -# -# some device files -# - -/dev/zero root:root 666 -/dev/null root:root 666 -/dev/full root:root 666 -/dev/ip root:root 660 -/dev/initrd root:disk 660 -/dev/kmem root:kmem 640 - -# -# /etc -# -/etc/lilo.conf root:root 600 -/etc/passwd root:root 644 -/etc/shadow root:shadow 640 -/etc/init.d/ root:root 755 -/etc/HOSTNAME root:root 644 -/etc/hosts root:root 644 -# Changing the hosts_access(5) files causes trouble with services -# that do not run as root! -/etc/hosts.allow root:root 644 -/etc/hosts.deny root:root 644 -/etc/hosts.equiv root:root 644 -/etc/hosts.lpd root:root 644 -/etc/ld.so.conf root:root 644 -/etc/ld.so.cache root:root 644 - -/etc/opiekeys root:root 600 - -/etc/ppp/ root:dialout 750 -/etc/ppp/chap-secrets root:root 600 -/etc/ppp/pap-secrets root:root 600 - -# sysconfig files: -/etc/sysconfig/network/providers/ root:root 700 - -# utempter -/usr/sbin/utempter root:tty 2755 - -# ensure correct permissions on ssh files to avoid sshd refusing -# logins (bnc#398250) -/etc/ssh/ssh_host_key root:root 600 -/etc/ssh/ssh_host_key.pub root:root 644 -/etc/ssh/ssh_host_dsa_key root:root 600 -/etc/ssh/ssh_host_dsa_key.pub root:root 644 -/etc/ssh/ssh_host_rsa_key root:root 600 -/etc/ssh/ssh_host_rsa_key.pub root:root 644 -/etc/ssh/ssh_config root:root 644 -/etc/ssh/sshd_config root:root 640 - -# -# legacy -# -# don't set the setuid bit on suidperl! Set it on sperl instead if -# you really need it as suidperl is a hardlink to perl nowadays. -/usr/bin/suidperl root:root 755 - -# cdrecord does not need to be setuid root as it uses resmgr for -# accessing the devices. Access to that one can be configured in -# /etc/resmgr.conf -/usr/bin/cdrecord root:root 755 - -# new traceroute program by Olaf Kirch does not need setuid root any more. -/usr/sbin/traceroute root:root 755 - -# netatalk printer daemon: sgid not needed any more with cups. -/usr/sbin/papd root:lp 0755 - -# games:games 775 safe as long as we don't change files below it (#103186) -# still people do it (#429882) so root:root 755 is the consequence. -/var/games/ root:root 0755 - -# No longer common. Set setuid bit yourself if you need it -# (#66191) -#/usr/bin/ziptool root:trusted 4750 - -# -# udev static devices (#438039) -# -/lib/udev/devices/net/tun root:root 0666 -/lib/udev/devices/null root:root 0666 -/lib/udev/devices/ptmx root:tty 0666 -/lib/udev/devices/tty root:tty 0666 -/lib/udev/devices/zero root:root 0666 - -# -# directory for system crash dumps (#438041) -# -/var/crash/ root:root 1777 - -# -# named chroot (#438045) -# -/var/lib/named/dev/null root:root 0666 -/var/lib/named/dev/random root:root 0666 diff --git a/permissions-2009.08.24.1152.tar.bz2 b/permissions-2009.08.24.1152.tar.bz2 new file mode 100644 index 0000000..1611076 --- /dev/null +++ b/permissions-2009.08.24.1152.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93f8bb126cf82a643030902d002344e9bfc3a5dea03b909ae1192aae7ac1fa21 +size 17497 diff --git a/permissions.changes b/permissions.changes index a06b50a..98210d3 100644 --- a/permissions.changes +++ b/permissions.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Aug 24 09:53:25 UTC 2009 - lnussel@suse.de + +- remove permissions handling for traceroute6 and cdrecord which are + symlinks nowadays + +------------------------------------------------------------------- +Thu Aug 20 08:30:02 UTC 2009 - lnussel@suse.de + +- fix weird sendfax permissions (bnc#525954) + +------------------------------------------------------------------- +Wed Aug 19 11:17:53 UTC 2009 - lnussel@suse.de + +- permissions now maintained at gitorious so use tarball instead of + individual files + ------------------------------------------------------------------- Wed Aug 12 09:57:12 CEST 2009 - meissner@suse.de diff --git a/permissions.easy b/permissions.easy deleted file mode 100644 index 25f7a32..0000000 --- a/permissions.easy +++ /dev/null @@ -1,417 +0,0 @@ -# -# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. -# -# Author: Roman Drahtmueller , 2001 -# -# -# See /etc/permissions for general hints on how to use this file. -# -# /etc/permissions.easy is set up for the use in a standalone and single-user -# installation to make things "work" out-of-the box. -# Some of the settings might be considered somewhat lax from the security -# standpoint. These aspects are handled differently in the permissions.secure -# file. -# - -# -# Directories -# - -# lock file for emacs -/var/lib/xemacs/lock/ root:root 1777 -# for screen's session sockets: -/var/run/uscreens/ root:root 1777 - -# -# /etc -# -/etc/crontab root:root 644 -/etc/exports root:root 644 -/etc/fstab root:root 644 -# we don't package it -/etc/ftpaccess root:root 644 -/etc/ftpusers root:root 644 -/etc/inetd.conf root:root 644 -/etc/inittab root:root 644 -/etc/mtab root:root 644 -/etc/rmtab root:root 644 -/var/lib/nfs/rmtab root:root 644 -/etc/syslog.conf root:root 644 - -# -# suid system programs that need the suid bit to work: -# -/bin/su root:root 4755 -/usr/bin/at root:trusted 4755 -/usr/bin/crontab root:trusted 4755 -/usr/bin/gpasswd root:shadow 4755 -/usr/bin/newgrp root:root 4755 -/usr/bin/passwd root:shadow 4755 -/usr/bin/chfn root:shadow 4755 -/usr/bin/chage root:shadow 4755 -/usr/bin/chsh root:shadow 4755 -/usr/bin/expiry root:shadow 4755 -# the default configuration of the sudo package in SuSE distribution is to -# intimidate users. -/usr/bin/sudo root:root 4755 -/usr/sbin/su-wrapper root:root 4755 -# opie password system -# #66303 -/usr/bin/opiepasswd root:root 4755 -/usr/bin/opiesu root:root 4755 -# "user" entries in /etc/fstab make mount work for non-root users: -/usr/bin/ncpmount root:trusted 4750 -/usr/bin/ncpumount root:trusted 4750 -# #331020 -/sbin/mount.nfs root:root 4755 -# mount/umount have had their problems already: -/bin/mount root:root 4755 -/bin/umount root:root 4755 -/bin/eject root:audio 4755 -# -# #133657 -/usr/bin/fusermount root:trusted 4755 -# #66203 -/usr/lib/majordomo/wrapper root:daemon 4755 -# glibc backwards compatibility -/usr/lib/pt_chown root:root 4755 -/usr/lib64/pt_chown root:root 4755 -# needs setuid root when using shadow via NIS: -# #216816 -/sbin/unix_chkpwd root:shadow 4755 -/sbin/unix2_chkpwd root:shadow 4755 -# qpopper -/usr/sbin/popauth pop:trusted 4755 -# from the squid package -/usr/sbin/pam_auth root:shadow 4755 - -# still to be converted to utempter -/usr/lib/vte/gnome-pty-helper root:tty 2755 - -# -# mixed section: -# -######################################################################### -# rpm subsystem: -/usr/src/packages/SOURCES/ root:root 1777 -/usr/src/packages/BUILD/ root:root 1777 -/usr/src/packages/RPMS/ root:root 1777 -/usr/src/packages/RPMS/alpha/ root:root 1777 -/usr/src/packages/RPMS/alphaev56/ root:root 1777 -/usr/src/packages/RPMS/alphaev67/ root:root 1777 -/usr/src/packages/RPMS/alphaev6/ root:root 1777 -/usr/src/packages/RPMS/arm4l/ root:root 1777 -/usr/src/packages/RPMS/athlon/ root:root 1777 -/usr/src/packages/RPMS/i386/ root:root 1777 -/usr/src/packages/RPMS/i486/ root:root 1777 -/usr/src/packages/RPMS/i586/ root:root 1777 -/usr/src/packages/RPMS/i686/ root:root 1777 -/usr/src/packages/RPMS/ia64/ root:root 1777 -/usr/src/packages/RPMS/mips/ root:root 1777 -/usr/src/packages/RPMS/ppc/ root:root 1777 -/usr/src/packages/RPMS/ppc64/ root:root 1777 -/usr/src/packages/RPMS/powerpc/ root:root 1777 -/usr/src/packages/RPMS/powerpc64/ root:root 1777 -/usr/src/packages/RPMS/s390/ root:root 1777 -/usr/src/packages/RPMS/s390x/ root:root 1777 -/usr/src/packages/RPMS/sparc/ root:root 1777 -/usr/src/packages/RPMS/sparcv9/ root:root 1777 -/usr/src/packages/RPMS/sparc64/ root:root 1777 -/usr/src/packages/RPMS/x86_64/ root:root 1777 -/usr/src/packages/RPMS/armv4l/ root:root 1777 -/usr/src/packages/RPMS/hppa/ root:root 1777 -/usr/src/packages/RPMS/hppa2.0/ root:root 1777 -/usr/src/packages/RPMS/noarch/ root:root 1777 -/usr/src/packages/SPECS/ root:root 1777 -/usr/src/packages/SRPMS/ root:root 1777 -######################################################################### -# video -/usr/bin/v4l-conf root:video 4755 -# Itanium ia32 emulator -/usr/lib/ia32el/suid_ia32x_loader root:root 4755 -# scotty: -# #66211 -/usr/bin/ntping root:trusted 4750 -# screen savers: -/usr/bin/vlock root:shadow 2755 -/usr/bin/Xorg root:root 4711 -# turn off write and wall by disabling sgid tty: -/usr/bin/wall root:tty 2755 -/usr/bin/write root:tty 2755 -# thttpd: -/usr/bin/makeweb root:www 2755 -# yaps, pager software, accesses /dev/ttyS? -/usr/bin/yaps root:uucp 2755 -# ncpfs tool -/usr/bin/nwsfind root:trusted 4750 -/usr/bin/ncplogin root:trusted 4750 -/usr/bin/ncpmap root:trusted 4750 -# lpdfilter: -# checks itself that only lp and root can call it -/usr/lib/lpdfilter/bin/runlpr root:root 4755 -# pcmcia: -# Needs setuid to eject cards (#100120) -/sbin/pccardctl root:trusted 4755 -# gnokii nokia cellphone software -# #66209 -/usr/sbin/mgnokiidev root:uucp 4755 -# pcp, performance co-pilot -# setuid root is used to write /var/log/pcp/NOTICES -# #66205 -/usr/lib/pcp/pmpost root:root 4755 -# mailman mailing list software -# #66315 -/usr/lib/mailman/cgi-bin/admin root:mailman 2755 -/usr/lib/mailman/cgi-bin/admindb root:mailman 2755 -/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755 -/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755 -/usr/lib/mailman/cgi-bin/options root:mailman 2755 -/usr/lib/mailman/cgi-bin/private root:mailman 2755 -/usr/lib/mailman/cgi-bin/roster root:mailman 2755 -/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755 -/usr/lib/mailman/cgi-bin/confirm root:mailman 2755 -/usr/lib/mailman/cgi-bin/create root:mailman 2755 -/usr/lib/mailman/cgi-bin/editarch root:mailman 2755 -/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755 -/usr/lib/mailman/mail/mailman root:mailman 2755 - -# libgnomesu (#75823, #175616) -/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755 - -# control-center2 (#104993) -/usr/sbin/change-passwd root:root 4755 - -# -# cups (#66305,#406058) -# -/usr/bin/lppasswd lp:lp 2755 - -# -# smb printing with kerberos authentication (#177114) -# -/usr/bin/get_printing_ticket root:lp 4750 - -# -# networking (need root for the privileged socket) -# -/bin/ping root:root 4755 -/bin/ping6 root:root 4755 -/usr/sbin/traceroute6 root:root 4755 -# mtr is linked against ncurses. For dialout only. -/usr/sbin/mtr root:dialout 4750 -/usr/bin/rcp root:root 4755 -/usr/bin/rlogin root:root 4755 -/usr/bin/rsh root:root 4755 - -# heartbeat #66310 -# cl_status needs to be allowed to connect to the heartbeat API. If the setgid -# bit is removed, one can manually add users to the haclient group instead. -/usr/bin/cl_status root:haclient 2555 - -# exim -/usr/sbin/exim root:root 4755 - -# -# dialup networking programs -# -/usr/sbin/pppoe-wrapper root:dialout 4750 -# i4l package (#100750): -/sbin/isdnctrl root:dialout 4750 -# #66111 -/usr/bin/vboxbeep root:trusted 4755 - - -# -# linux text console utilities -# -# setuid needed on the text console to set the terminal content on ctrl-o -# #66112 -/usr/lib/mc/cons.saver root:root 4755 - - -# -# terminal emulators -# This and future SuSE products have support for the utempter, a small helper -# program that does the utmp/wtmp update work with the necessary rights. -# The use of utempter obsoletes the need for sgid bits on terminal emulator -# binaries. We mention screen here, but all other terminal emulators have -# moved to /etc/permissions, with modes set to 0755. - -# needs setuid to access /dev/console -# framebuffer terminal emulator (japanese) -/usr/bin/jfbterm root:tty 6755 - -# -# kde -# (all of them are disabled in permissions.secure except for -# the helper programs) -# -# arts wrapper, normally suid root: -/opt/kde3/bin/artswrapper root:root 4755 -# needs setuid root when using shadow via NIS: -# #66218 -/opt/kde3/bin/kcheckpass root:shadow 4755 -/usr/lib/kde4/libexec/kcheckpass root:shadow 4755 -/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755 -# This has a meaning... hmm... -/opt/kde3/bin/kdesud root:nogroup 2755 -/usr/lib/kde4/libexec/kdesud root:nogroup 2755 -/usr/lib64/kde4/libexec/kdesud root:nogroup 2755 -# used for getting proxy settings from dhcp -/opt/kde3/bin/kpac_dhcp_helper root:root 4755 -# used to distract the oom killer -# #203535 -/opt/kde3/bin/start_kdeinit root:root 4755 -# bnc#523833 -/usr/lib/kde4/libexec/start_kdeinit root:root 4755 -/usr/lib64/kde4/libexec/start_kdeinit root:root 4755 -# edits /etc/smb.conf -# #66312 -/usr/bin/fileshareset root:root 4755 - - -# -# amanda -# -/usr/sbin/amcheck root:amanda 4750 -/usr/lib/amanda/calcsize root:amanda 4750 -/usr/lib/amanda/rundump root:amanda 4750 -/usr/lib/amanda/planner root:amanda 4750 -/usr/lib/amanda/runtar root:amanda 4750 -/usr/lib/amanda/dumper root:amanda 4750 -/usr/lib/amanda/killpgrp root:amanda 4750 - - -# -# gnats -# -/usr/lib/gnats/gen-index gnats:root 4555 -/usr/lib/gnats/pr-edit gnats:root 4555 -/usr/lib/gnats/queue-pr gnats:root 4555 - - -# -# news (inn) -# -# the inn start script changes it's uid to news:news. Later innstart and -# innfeed are called by this user. Those programs do not need to be called by -# anyone else, therefore the strange permissions 4554 are required for -# operation. (#67032) -# -/usr/lib/news/bin/rnews news:uucp 4550 -/usr/lib/news/bin/startinnfeed root:news 4554 -/usr/lib/news/bin/inndstart root:news 4554 -/usr/lib/news/bin/inews news:news 2555 - - -# -# sendfax -# -/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711 -/var/spool/fax/outgoing/ fax:root 1755 -/var/spool/fax/outgoing/locks fax:root 0777 - -# -# uucp -# -/var/spool/uucppublic/ root:root 1777 -/usr/bin/uucp uucp:uucp 6555 -/usr/bin/uuname uucp:uucp 6555 -/usr/bin/uustat uucp:uucp 6555 -/usr/bin/uux uucp:uucp 6555 -/usr/lib/uucp/uucico uucp:uucp 6555 -/usr/lib/uucp/uuxqt uucp:uucp 6555 - - -# -# games of all kinds, toys -# - -# bsd-games -/usr/games/atc games:games 2755 -/usr/games/battlestar games:games 2755 -/usr/games/canfield games:games 2755 -/usr/games/cribbage games:games 2755 -/usr/games/phantasia games:games 2755 -/usr/games/robots games:games 2755 -/usr/games/sail games:games 2755 -/usr/games/snake games:games 2755 -/usr/games/tetris-bsd games:games 2755 - -# Maelstrom -/usr/games/Maelstrom games:games 2755 - -# pachi -/usr/games/pachi games:games 2755 -/usr/games/martian games:games 2755 - -# nethack -/usr/lib/nethack/nethack.tty games:games 2755 - -# chromium, -/usr/games/chromium games:games 2755 - -# xscrabble -/usr/games/xscrab games:games 2755 - -# trackballs -/usr/games/trackballs games:games 2755 - -# ltris -/usr/games/ltris games:games 2755 - -# xlogical -/usr/games/xlogical games:games 2755 - -# lbreakout -/usr/games/lbreakout2 games:games 2755 - -# xgalaga -/usr/bin/xgalaga games:games 2755 - -# rocksndiamonds -/usr/games/rocksndiamonds games:games 2755 - -# gnome-games -/usr/bin/glines games:games 2755 -/usr/bin/gnibbles games:games 2755 -/usr/bin/gnobots2 games:games 2755 -/usr/bin/gnometris games:games 2755 -/usr/bin/gnomine games:games 2755 -/usr/bin/gnotravex games:games 2755 -/usr/bin/gnotski games:games 2755 -/usr/bin/gtali games:games 2755 -/usr/bin/mahjongg games:games 2755 -/usr/bin/same-gnome games:games 2755 - -# zypp (#385207) -/usr/sbin/zypp-refresh-wrapper root:root 4755 - -# PolicyKit (#295341) -/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755 -/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750 - -# polkit new (bnc#523377) -/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755 -/usr/bin/pkexec root:root 4755 - -# dbus-1 (#333361) -/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 - -# policycoreutils (#440596) -/usr/bin/newrole root:root 4755 - -# VirtualBox (#429725) -/usr/lib/virtualbox/VirtualBox root:vboxusers 4750 -/usr/lib/virtualbox/VirtualBox3 root:vboxusers 4750 -/usr/lib/virtualbox/VBoxBFE root:vboxusers 4750 -/usr/lib/virtualbox/VBoxHeadless root:vboxusers 4750 -/usr/lib/virtualbox/VBoxSDL root:vboxusers 4750 - -# open-vm-tools (bnc#474285) -/usr/bin/vmware-user-suid-wrapper root:root 4755 diff --git a/permissions.local b/permissions.local deleted file mode 100644 index 5e39bbc..0000000 --- a/permissions.local +++ /dev/null @@ -1,32 +0,0 @@ -# -# /etc/permissions.local -# -# This file is used by SuSEconfig and chkstat to check or set the modes -# and ownerships of files and directories in the installation. -# -# In particular, this file will not be touched during an upgrade of the -# SuSE Linux installation. It is designed to be a placeholder for local -# additions by the administrator of the system to reflect filemodes -# of locally installed packages or to override file permissions as -# shipped with the distribution. -# -# Format: -# : -# -# Please see the file /etc/permissions for general usage hints of the -# /etc/permissions* files. -# Keep in mind that this file (/etc/permissions.local) is being used by -# default by SuSEconfig, the shell script that is used by yast and yast2 -# after package installation and configuration changes to make the changes -# effective for the respective packages (eg generating the "real" -# configuration files). -# Always check if there are no conflicts between your "local" changes here -# and the settings in the other permissions files by calling -# "SuSEconfig" as root! -# Please remember that logfiles might be modified by the logfile -# rotation facilities (e.g. logrotate) so settings entered here might -# be overridden. -# This file needs to end with a newline. -# -# example: -#/usr/bin/sperl5.8.8 root:root 4755 diff --git a/permissions.paranoid b/permissions.paranoid deleted file mode 100644 index 395119e..0000000 --- a/permissions.paranoid +++ /dev/null @@ -1,431 +0,0 @@ -# /etc/permissions.paranoid -# -# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. -# -# Author: Roman Drahtmueller , 2001 -# -# -# See /etc/permissions for general hints on how to use this file. -# -# /etc/permissions.paranoid is NOT designed to be used in a single-user as -# well as a multi-user installation, be it networked or not. -# Derived from /etc/permissions.secure, it has _all_ sgid and suid bits -# cleared - therefore, the system might be useable for non-privileged users -# except for simple tasks like changing passwords and such. In addition, -# some of the configuration files are not readable for world any more. -# -# Feel free to use this file as a basis of a system configuration that meets -# your understanding of "secure", for the case that you're a bit paranoid. -# Since there is no such thing as "it works" with this configuration, please -# use these settings with care. Some experience on behalf of the administrator -# is needed to have a system running flawlessly when users are present. -# In particular, all terminal emulators will not be able to write to utmp -# and wtmp any more, which renders who(1) and finger(1) useless. -# -# Please always keep in mind that your system listens on network sockets -# in the default configuration. Change this by disabling the services that -# you do not need or by restricting access to them using packet filters -# or tcp wrappers (see hosts_access(5)) to gain a higher level of security -# in your system. - -# -# Directories -# -# no lock files for emacs: -/var/lib/xemacs/lock/ root:trusted 1775 -# for screen's session sockets: -/var/run/uscreens/ root:trusted 1775 - - -# -# /etc -# -/etc/crontab root:root 600 -/etc/exports root:root 600 -/etc/fstab root:root 600 -/etc/ftpaccess root:root 600 -/etc/ftpusers root:root 600 -/etc/inetd.conf root:root 600 -/etc/inittab root:root 600 -/etc/mtab root:root 600 -/etc/rmtab root:root 600 -/var/lib/nfs/rmtab root:root 600 -/etc/syslog.conf root:root 600 - -# -# suid system programs that need the suid bit to work: -# -/bin/su root:root 0755 -# disable at and cron for non-root users -/usr/bin/at root:trusted 0755 -/usr/bin/crontab root:trusted 0755 -/usr/bin/gpasswd root:shadow 0755 -/usr/bin/newgrp root:root 0755 -/usr/bin/passwd root:shadow 0755 -/usr/bin/chfn root:shadow 0755 -/usr/bin/chage root:shadow 0755 -/usr/bin/chsh root:shadow 0755 -/usr/bin/expiry root:shadow 0755 -# the default configuration of the sudo package in SuSE distribution is to -# intimidate users. -/usr/bin/sudo root:root 0755 -/usr/sbin/su-wrapper root:root 0755 -# opie password system -# #66303 -/usr/bin/opiepasswd root:root 0755 -/usr/bin/opiesu root:root 0755 -# "user" entries in /etc/fstab make mount work for non-root users: -/usr/bin/ncpmount root:trusted 0755 -/usr/bin/ncpumount root:trusted 0755 -# #331020 -/sbin/mount.nfs root:root 0755 -# mount/umount have had their problems already: -/bin/mount root:root 0755 -/bin/umount root:root 0755 -/bin/eject root:audio 0755 -# -# #133657 -/usr/bin/fusermount root:trusted 0755 -# #66203 -/usr/lib/majordomo/wrapper root:daemon 0755 -# glibc backwards compatibility -/usr/lib/pt_chown root:root 0755 -/usr/lib64/pt_chown root:root 0755 -# needs setuid root when using shadow via NIS: -# #216816 -/sbin/unix_chkpwd root:shadow 0755 -/sbin/unix2_chkpwd root:shadow 0755 -# qpopper -/usr/sbin/popauth pop:trusted 0755 -# from the squid package -/usr/sbin/pam_auth root:shadow 0755 - -# still to be converted to utempter -/usr/lib/vte/gnome-pty-helper root:tty 0755 - -# -# mixed section: most of it is disabled in this permissions.secure: -# -######################################################################### -# rpm subsystem: -/usr/src/packages/SOURCES/ root:root 700 -/usr/src/packages/BUILD/ root:root 700 -/usr/src/packages/RPMS/ root:root 700 -/usr/src/packages/RPMS/alpha/ root:root 700 -/usr/src/packages/RPMS/alphaev56/ root:root 700 -/usr/src/packages/RPMS/alphaev67/ root:root 700 -/usr/src/packages/RPMS/alphaev6/ root:root 700 -/usr/src/packages/RPMS/arm4l/ root:root 700 -/usr/src/packages/RPMS/athlon/ root:root 700 -/usr/src/packages/RPMS/i386/ root:root 700 -/usr/src/packages/RPMS/i486/ root:root 700 -/usr/src/packages/RPMS/i586/ root:root 700 -/usr/src/packages/RPMS/i686/ root:root 700 -/usr/src/packages/RPMS/ia64/ root:root 700 -/usr/src/packages/RPMS/mips/ root:root 700 -/usr/src/packages/RPMS/ppc/ root:root 700 -/usr/src/packages/RPMS/ppc64/ root:root 700 -/usr/src/packages/RPMS/powerpc/ root:root 700 -/usr/src/packages/RPMS/powerpc64/ root:root 700 -/usr/src/packages/RPMS/s390/ root:root 700 -/usr/src/packages/RPMS/s390x/ root:root 700 -/usr/src/packages/RPMS/sparc/ root:root 700 -/usr/src/packages/RPMS/sparcv9/ root:root 700 -/usr/src/packages/RPMS/sparc64/ root:root 700 -/usr/src/packages/RPMS/x86_64/ root:root 700 -/usr/src/packages/RPMS/armv4l/ root:root 700 -/usr/src/packages/RPMS/hppa/ root:root 700 -/usr/src/packages/RPMS/hppa2.0/ root:root 700 -/usr/src/packages/RPMS/noarch/ root:root 700 -/usr/src/packages/SPECS/ root:root 700 -/usr/src/packages/SRPMS/ root:root 700 -######################################################################### -# video -/usr/bin/v4l-conf root:video 0755 -# Itanium ia32 emulator -/usr/lib/ia32el/suid_ia32x_loader root:root 0755 -######################################################################### -# scotty: -# #66211 -/usr/bin/ntping root:trusted 0755 -# This is not extensively tested. -/usr/bin/vlock root:shadow 0755 -/usr/bin/Xorg root:root 0711 -# turned off write and wall by disabling sgid tty: -/usr/bin/wall root:tty 0755 -/usr/bin/write root:tty 0755 -# thttpd -/usr/bin/makeweb root:www 0750 -# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. -/usr/bin/yaps root:uucp 0755 -# ncpfs tool: trusted only -/usr/bin/nwsfind root:trusted 0750 -/usr/bin/ncplogin root:trusted 0750 -/usr/bin/ncpmap root:trusted 0750 -# lpdfilter: -# checks itself that only lp and root can call it -/usr/lib/lpdfilter/bin/runlpr root:root 0755 -# pcmcia: -# Needs setuid to eject cards (#100120) -/sbin/pccardctl root:trusted 0755 -# gnokii nokia cellphone software -# #66209 -/usr/sbin/mgnokiidev root:uucp 755 -# pcp, performance co-pilot -# setuid root is used to write /var/log/pcp/NOTICES -# #66205 -/usr/lib/pcp/pmpost root:trusted 0755 -# mailman mailing list software -# #66315 -/usr/lib/mailman/cgi-bin/admin root:mailman 0755 -/usr/lib/mailman/cgi-bin/admindb root:mailman 0755 -/usr/lib/mailman/cgi-bin/edithtml root:mailman 0755 -/usr/lib/mailman/cgi-bin/listinfo root:mailman 0755 -/usr/lib/mailman/cgi-bin/options root:mailman 0755 -/usr/lib/mailman/cgi-bin/private root:mailman 0755 -/usr/lib/mailman/cgi-bin/roster root:mailman 0755 -/usr/lib/mailman/cgi-bin/subscribe root:mailman 0755 -/usr/lib/mailman/cgi-bin/confirm root:mailman 0755 -/usr/lib/mailman/cgi-bin/create root:mailman 0755 -/usr/lib/mailman/cgi-bin/editarch root:mailman 0755 -/usr/lib/mailman/cgi-bin/rmlist root:mailman 0755 -/usr/lib/mailman/mail/mailman root:mailman 0755 - -# libgnomesu (#75823, #175616) -/usr/lib/libgnomesu/gnomesu-pam-backend root:root 0755 - -# control-center2 (#104993) -/usr/sbin/change-passwd root:root 0755 - -# -# cups (#66305,#406058) -# -/usr/bin/lppasswd lp:lp 0755 - -# -# smb printing with kerberos authentication (#177114) -# -/usr/bin/get_printing_ticket root:lp 0755 - -# -# networking (need root for the privileged socket) -# -/bin/ping root:root 0755 -/bin/ping6 root:root 0755 -/usr/sbin/traceroute6 root:root 0755 -# mtr is linked against ncurses. -/usr/sbin/mtr root:dialout 0755 -/usr/bin/rcp root:root 0755 -/usr/bin/rlogin root:root 0755 -/usr/bin/rsh root:root 0755 - -# heartbeat #66310 -# cl_status needs to be allowed to connect to the heartbeat API. If the setgid -# bit is removed, one can manually add users to the haclient group instead. -/usr/bin/cl_status root:haclient 0555 - -# exim -/usr/sbin/exim root:root 0755 - -# -# dialup networking programs -# -/usr/sbin/pppoe-wrapper root:dialout 0750 -# i4l package (#100750): -/sbin/isdnctrl root:dialout 0750 -# #66111 -/usr/bin/vboxbeep root:trusted 0755 - - -# -# linux text console utilities -# -# setuid needed on the text console to set the terminal content on ctrl-o -# #66112 -/usr/lib/mc/cons.saver root:root 0755 - - -# -# terminal emulators -# This and future SuSE products have support for the utempter, a small helper -# program that does the utmp/wtmp update work with the necessary rights. -# The use of utempter obsoletes the need for sgid bits on terminal emulator -# binaries. We mention screen here, but all other terminal emulators have -# moved to /etc/permissions, with modes set to 0755. - -# framebuffer terminal emulator (japanese). -/usr/bin/jfbterm root:tty 0755 - -# -# kde -# -# arts wrapper, normally suid root: -/opt/kde3/bin/artswrapper root:root 0755 -# needs setuid root when using shadow via NIS: -# #66218 -/opt/kde3/bin/kcheckpass root:shadow 0755 -/usr/lib/kde4/libexec/kcheckpass root:shadow 0755 -/usr/lib64/kde4/libexec/kcheckpass root:shadow 0755 -# This has a meaning... hmm... -/opt/kde3/bin/kdesud root:nogroup 0755 -/usr/lib/kde4/libexec/kdesud root:nogroup 0755 -/usr/lib64/kde4/libexec/kdesud root:nogroup 0755 -# used for getting proxy settings from dhcp -/opt/kde3/bin/kpac_dhcp_helper root:root 0755 -# used to distract the oom killer -# #203535 -/opt/kde3/bin/start_kdeinit root:root 0755 -# bnc#523833 -/usr/lib/kde4/libexec/start_kdeinit root:root 0755 -/usr/lib64/kde4/libexec/start_kdeinit root:root 0755 -# edits /etc/smb.conf -# #66312 -/usr/bin/fileshareset root:root 0755 - - -# -# amanda -# -/usr/sbin/amcheck root:amanda 0750 -/usr/lib/amanda/calcsize root:amanda 0750 -/usr/lib/amanda/rundump root:amanda 0750 -/usr/lib/amanda/planner root:amanda 0750 -/usr/lib/amanda/runtar root:amanda 0750 -/usr/lib/amanda/dumper root:amanda 0750 -/usr/lib/amanda/killpgrp root:amanda 0750 - - -# -# gnats -# -/usr/lib/gnats/gen-index gnats:root 0555 -/usr/lib/gnats/pr-edit gnats:root 0555 -/usr/lib/gnats/queue-pr gnats:root 0555 - - -# -# news (inn) -# -# the inn start script changes it's uid to news:news. Later innstart and -# innfeed are called by this user. Those programs do not need to be called by -# anyone else, therefore the strange permissions 4554 are required for -# operation. (#67032) -# -/usr/lib/news/bin/rnews news:uucp 0555 -/usr/lib/news/bin/startinnfeed root:news 0555 -/usr/lib/news/bin/inndstart root:news 0555 -/usr/lib/news/bin/inews news:news 0555 - - -# -# sendfax -# -# restrictive, only for "trusted" group users: -/usr/lib/mgetty+sendfax/faxq-helper fax:root 0711 -/var/spool/fax/outgoing/ fax:trusted 1770 -/var/spool/fax/outgoing/locks fax:trusted 1770 - -# -# uucp -# -/var/spool/uucppublic/ root:uucp 1770 -/usr/bin/uucp uucp:uucp 0555 -/usr/bin/uuname uucp:uucp 0555 -/usr/bin/uustat uucp:uucp 0555 -/usr/bin/uux uucp:uucp 0555 -/usr/lib/uucp/uucico uucp:uucp 0555 -/usr/lib/uucp/uuxqt uucp:uucp 0555 - - -# -# games of all kinds, toys -# - -# bsd-games -/usr/games/atc games:games 0755 -/usr/games/battlestar games:games 0755 -/usr/games/canfield games:games 0755 -/usr/games/cribbage games:games 0755 -/usr/games/phantasia games:games 0755 -/usr/games/robots games:games 0755 -/usr/games/sail games:games 0755 -/usr/games/snake games:games 0755 -/usr/games/tetris-bsd games:games 0755 - -# Maelstrom -/usr/games/Maelstrom games:games 0755 - -# pachi -/usr/games/pachi games:games 0755 -/usr/games/martian games:games 0755 - -# nethack -/usr/lib/nethack/nethack.tty games:games 0755 - -# chromium, -/usr/games/chromium games:games 0755 - -# xscrabble -/usr/games/xscrab games:games 0755 - -# trackballs -/usr/games/trackballs games:games 0755 - -# ltris -/usr/games/ltris games:games 0755 - -# xlogical -/usr/games/xlogical games:games 0755 - -# lbreakout -/usr/games/lbreakout2 games:games 0755 - -# xgalaga -/usr/bin/xgalaga games:games 0755 - -# rocksndiamonds -/usr/games/rocksndiamonds games:games 0755 - -# gnome-games -/usr/bin/glines games:games 0755 -/usr/bin/gnibbles games:games 0755 -/usr/bin/gnobots2 games:games 0755 -/usr/bin/gnometris games:games 0755 -/usr/bin/gnomine games:games 0755 -/usr/bin/gnotravex games:games 0755 -/usr/bin/gnotski games:games 0755 -/usr/bin/gtali games:games 0755 -/usr/bin/mahjongg games:games 0755 -/usr/bin/same-gnome games:games 0755 - -# zypp (#385207) -/usr/sbin/zypp-refresh-wrapper root:root 0755 - -# PolicyKit (#295341) -/usr/lib/PolicyKit/polkit-set-default-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 0755 - -# polkit new (bnc#523377) -/usr/lib/polkit-1/polkit-agent-helper-1 root:root 0755 -/usr/bin/pkexec root:root 0755 - -# dbus-1 (#333361) -/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 -/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 - -# policycoreutils (#440596) -/usr/bin/newrole root:root 0755 - -# VirtualBox (#429725) -/usr/lib/virtualbox/VirtualBox root:vboxusers 0755 -/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755 -/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755 -/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755 -/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755 - -# open-vm-tools (bnc#474285) -/usr/bin/vmware-user-suid-wrapper root:root 0755 diff --git a/permissions.secure b/permissions.secure deleted file mode 100644 index acc894e..0000000 --- a/permissions.secure +++ /dev/null @@ -1,456 +0,0 @@ -# /etc/permissions.secure -# -# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. -# -# Author: Roman Drahtmueller , 2001 -# -# -# See /etc/permissions for general hints on how to use this file. -# -# /etc/permissions.secure is designed for the use in a multi-user and -# networked installation. Most privileged file modes are disabled here. -# Many programs that still have their suid- or sgid-modes have had their -# security problems in the past already. -# The primary target of this configuration is to make the basic things -# such as changing passwords, the basic networking programs as well as -# some of the all-day work programs properly function for the unprivileged -# user. The dial-out packages are executable for users belonging to the -# "dialout" group - therefore, these users are to be treated "privileged". -# Packages such as (remote-) batch queueing systems, games, programs for -# the linux text console, everything linked against OOP libraries and -# most other exotic utilities are turned into unprivileged binary files -# in order for them not to cause any security problems if one or more of -# the programs turn out to have buffer overruns or otherwise locally -# exploitable programming errors. -# This file is not designed to make your system as closed and as restrictive -# as at all possible. In many cases, restricted access to a configuration -# file is of no use since the data used can be obtained from the /proc file -# system or interface configuration as well. Also, system programs such as -# /sbin/ifconfig or /sbin/route are not changed because nosey users can -# bring their own. "Security by obscurity" will add any significant -# security-related advantage to the system. Keep in mind that curiosity -# is a major motivation for your users to try to see behind the curtain. -# -# If you need the functionality of a program that usually runs as a -# privileged user, then use it as root, or, if you are not root, ask your -# system administrator for advice. In many cases, adding a user to the -# "trusted" group gives her access to the resources that are not accessible -# any more if the admin chose to select "secure" as the permissions default. -# -# Please make use of the diff program to see the differences between the -# permissions.easy and permissions.secure files if things don't work as -# they should and you suspect a permission or privilege problem. -# The word "easy" is a reference for the /etc/permissions.easy file. -# -# As usual, these settings are "suggested". If you feel so inclined, -# please feel free to change the modes in this files, but keep a log -# of your changes for future reference. - -# Please always keep in mind that your system listens on network sockets -# in the default configuration. Change this by disabling the services that -# you do not need or by restricting access to them using packet filters -# or tcp wrappers (see hosts_access(5)) to gain a higher level of security -# in your system. - -# -# Directories -# -# no lock files for emacs: -/var/lib/xemacs/lock/ root:trusted 1775 -# for screen's session sockets: -/var/run/uscreens/ root:root 1777 - -# -# /etc -# -/etc/crontab root:root 600 -/etc/exports root:root 644 -/etc/fstab root:root 644 -/etc/ftpaccess root:root 644 -/etc/ftpusers root:root 644 -/etc/inetd.conf root:root 644 -/etc/inittab root:root 644 -/etc/mtab root:root 644 -/etc/rmtab root:root 644 -/var/lib/nfs/rmtab root:root 644 -/etc/syslog.conf root:root 600 - -# -# suid system programs that need the suid bit to work: -# -/bin/su root:root 4755 -# disable at and cron for users that do not belnong to the group "trusted" -/usr/bin/at root:trusted 4750 -/usr/bin/crontab root:trusted 4750 -/usr/bin/gpasswd root:shadow 4755 -/usr/bin/newgrp root:root 4755 -/usr/bin/passwd root:shadow 4755 -/usr/bin/chfn root:shadow 4755 -/usr/bin/chage root:shadow 4755 -/usr/bin/chsh root:shadow 4755 -/usr/bin/expiry root:shadow 4755 -# the default configuration of the sudo package in SuSE distribution is to -# intimidate users. -/usr/bin/sudo root:root 4755 -/usr/sbin/su-wrapper root:root 0755 -# opie password system -# #66303 -/usr/bin/opiepasswd root:root 4755 -/usr/bin/opiesu root:root 4755 -# "user" entries in /etc/fstab make mount work for non-root users: -/usr/bin/ncpmount root:trusted 4750 -/usr/bin/ncpumount root:trusted 4750 -# #331020 -/sbin/mount.nfs root:root 0755 -# mount/umount have had their problems already: -/bin/mount root:root 4755 -/bin/umount root:root 4755 -/bin/eject root:audio 4750 -# -# #133657 -/usr/bin/fusermount root:trusted 4750 -# #66203 -/usr/lib/majordomo/wrapper root:daemon 4750 -# glibc backwards compatibility -/usr/lib/pt_chown root:root 4755 -/usr/lib64/pt_chown root:root 4755 -# needs setuid root when using shadow via NIS: -# #216816 -/sbin/unix_chkpwd root:shadow 4755 -/sbin/unix2_chkpwd root:shadow 4755 -# qpopper -/usr/sbin/popauth pop:trusted 4750 -# from the squid package -/usr/sbin/pam_auth root:shadow 4755 - -# still to be converted to utempter -/usr/lib/vte/gnome-pty-helper root:tty 2755 - -# -# mixed section: most of it is disabled in this permissions.secure: -# -######################################################################### -# rpm subsystem: -/usr/src/packages/SOURCES/ root:root 755 -/usr/src/packages/BUILD/ root:root 755 -/usr/src/packages/RPMS/ root:root 755 -/usr/src/packages/RPMS/alpha/ root:root 755 -/usr/src/packages/RPMS/alphaev56/ root:root 755 -/usr/src/packages/RPMS/alphaev67/ root:root 755 -/usr/src/packages/RPMS/alphaev6/ root:root 755 -/usr/src/packages/RPMS/arm4l/ root:root 755 -/usr/src/packages/RPMS/athlon/ root:root 755 -/usr/src/packages/RPMS/i386/ root:root 755 -/usr/src/packages/RPMS/i486/ root:root 755 -/usr/src/packages/RPMS/i586/ root:root 755 -/usr/src/packages/RPMS/i686/ root:root 755 -/usr/src/packages/RPMS/ia64/ root:root 755 -/usr/src/packages/RPMS/mips/ root:root 755 -/usr/src/packages/RPMS/ppc/ root:root 755 -/usr/src/packages/RPMS/ppc64/ root:root 755 -/usr/src/packages/RPMS/powerpc/ root:root 755 -/usr/src/packages/RPMS/powerpc64/ root:root 755 -/usr/src/packages/RPMS/s390/ root:root 755 -/usr/src/packages/RPMS/s390x/ root:root 755 -/usr/src/packages/RPMS/sparc/ root:root 755 -/usr/src/packages/RPMS/sparcv9/ root:root 755 -/usr/src/packages/RPMS/sparc64/ root:root 755 -/usr/src/packages/RPMS/x86_64/ root:root 755 -/usr/src/packages/RPMS/armv4l/ root:root 755 -/usr/src/packages/RPMS/hppa/ root:root 755 -/usr/src/packages/RPMS/hppa2.0/ root:root 755 -/usr/src/packages/RPMS/noarch/ root:root 755 -/usr/src/packages/SPECS/ root:root 755 -/usr/src/packages/SRPMS/ root:root 755 -######################################################################### -# video -/usr/bin/v4l-conf root:video 4750 -# Itanium ia32 emulator -/usr/lib/ia32el/suid_ia32x_loader root:root 0755 -# scotty: -# #66211 -/usr/bin/ntping root:trusted 4750 -# This is not extensively tested. -/usr/bin/vlock root:shadow 0755 -/usr/bin/Xorg root:root 0711 -# turned off write and wall by disabling sgid tty: -/usr/bin/wall root:tty 0755 -/usr/bin/write root:tty 0755 -# thttpd: sgid + executeable only for group www. Useless... -/usr/bin/makeweb root:www 2750 -# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. -/usr/bin/yaps root:uucp 0755 -# ncpfs tool: trusted only -/usr/bin/nwsfind root:trusted 4750 -/usr/bin/ncplogin root:trusted 4750 -/usr/bin/ncpmap root:trusted 4750 -# lpdfilter: -# checks itself that only lp and root can call it -/usr/lib/lpdfilter/bin/runlpr root:root 4755 -# pcmcia: -# Needs setuid to eject cards (#100120) -/sbin/pccardctl root:trusted 4750 -# gnokii nokia cellphone software -# #66209 -/usr/sbin/mgnokiidev root:uucp 755 -# pcp, performance co-pilot -# setuid root is used to write /var/log/pcp/NOTICES -# #66205 -/usr/lib/pcp/pmpost root:trusted 4750 -# mailman mailing list software -# #66315 -/usr/lib/mailman/cgi-bin/admin root:mailman 2755 -/usr/lib/mailman/cgi-bin/admindb root:mailman 2755 -/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755 -/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755 -/usr/lib/mailman/cgi-bin/options root:mailman 2755 -/usr/lib/mailman/cgi-bin/private root:mailman 2755 -/usr/lib/mailman/cgi-bin/roster root:mailman 2755 -/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755 -/usr/lib/mailman/cgi-bin/confirm root:mailman 2755 -/usr/lib/mailman/cgi-bin/create root:mailman 2755 -/usr/lib/mailman/cgi-bin/editarch root:mailman 2755 -/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755 -/usr/lib/mailman/mail/mailman root:mailman 2755 - -# libgnomesu (#75823, #175616) -/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755 - -# control-center2 (#104993) -/usr/sbin/change-passwd root:root 4755 - -# -# cups (#66305,#406058) -# -/usr/bin/lppasswd lp:lp 2755 - -# -# smb printing with kerberos authentication (#177114) -# -/usr/bin/get_printing_ticket root:lp 4750 - -# -# networking (need root for the privileged socket) -# -/bin/ping root:root 4755 -/bin/ping6 root:root 4755 -/usr/sbin/traceroute6 root:root 4755 -# mtr is linked against ncurses. no suid bit, for root only: -/usr/sbin/mtr root:dialout 0755 -/usr/bin/rcp root:root 4755 -/usr/bin/rlogin root:root 4755 -/usr/bin/rsh root:root 4755 - -# heartbeat #66310 -# cl_status needs to be allowed to connect to the heartbeat API. If the setgid -# bit is removed, one can manually add users to the haclient group instead. -/usr/bin/cl_status root:haclient 2555 - -# exim -/usr/sbin/exim root:root 4755 - -# -# dialup networking programs -# -/usr/sbin/pppoe-wrapper root:dialout 4750 -# i4l package (#100750): -/sbin/isdnctrl root:dialout 4750 -# #66111 -/usr/bin/vboxbeep root:trusted 0755 - - -# -# linux text console utilities -# -# setuid needed on the text console to set the terminal content on ctrl-o -# #66112 -/usr/lib/mc/cons.saver root:root 0755 - - -# -# terminal emulators -# This and future SuSE products have support for the utempter, a small helper -# program that does the utmp/wtmp update work with the necessary rights. -# The use of utempter obsoletes the need for sgid bits on terminal emulator -# binaries. We mention screen here, but all other terminal emulators have -# moved to /etc/permissions, with modes set to 0755. - -# needs setuid to access /dev/console -# framebuffer terminal emulator (japanese) -/usr/bin/jfbterm root:tty 0755 - -# -# kde -# (all of them are disabled in permissions.secure except for -# the helper programs) -# -# arts wrapper, normally suid root: -/opt/kde3/bin/artswrapper root:root 0755 -# needs setuid root when using shadow via NIS: -# #66218 -/opt/kde3/bin/kcheckpass root:shadow 4755 -/usr/lib/kde4/libexec/kcheckpass root:shadow 4755 -/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755 -# This has a meaning... hmm... -/opt/kde3/bin/kdesud root:nogroup 2755 -/usr/lib/kde4/libexec/kdesud root:nogroup 2755 -/usr/lib64/kde4/libexec/kdesud root:nogroup 2755 -# used for getting proxy settings from dhcp -/opt/kde3/bin/kpac_dhcp_helper root:root 0755 -# used to distract the oom killer -# #203535 -/opt/kde3/bin/start_kdeinit root:root 4755 -# bnc#523833 -/usr/lib/kde4/libexec/start_kdeinit root:root 4755 -/usr/lib64/kde4/libexec/start_kdeinit root:root 4755 -# edits /etc/smb.conf -# #66312 -/usr/bin/fileshareset root:root 0755 - -# -# amanda -# -/usr/sbin/amcheck root:amanda 0750 -/usr/lib/amanda/calcsize root:amanda 0750 -/usr/lib/amanda/rundump root:amanda 0750 -/usr/lib/amanda/planner root:amanda 0750 -/usr/lib/amanda/runtar root:amanda 0750 -/usr/lib/amanda/dumper root:amanda 0750 -/usr/lib/amanda/killpgrp root:amanda 0750 - - -# -# gnats -# -/usr/lib/gnats/gen-index gnats:root 4555 -/usr/lib/gnats/pr-edit gnats:root 4555 -/usr/lib/gnats/queue-pr gnats:root 4555 - - -# -# news (inn) -# -# the inn start script changes it's uid to news:news. Later innstart and -# innfeed are called by this user. Those programs do not need to be called by -# anyone else, therefore the strange permissions 4554 are required for -# operation. (#67032) -# -/usr/lib/news/bin/rnews news:uucp 4550 -/usr/lib/news/bin/startinnfeed root:news 4554 -/usr/lib/news/bin/inndstart root:news 4554 -/usr/lib/news/bin/inews news:news 2555 - - -# -# sendfax -# -# restrictive, only for "trusted" group users: -/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711 -/var/spool/fax/outgoing/ fax:root 0755 -/var/spool/fax/outgoing/locks fax:root 0755 - -# -# uucp -# -/var/spool/uucppublic/ root:uucp 1770 -/usr/bin/uucp uucp:uucp 6555 -/usr/bin/uuname uucp:uucp 6555 -/usr/bin/uustat uucp:uucp 6555 -/usr/bin/uux uucp:uucp 6555 -/usr/lib/uucp/uucico uucp:uucp 6555 -/usr/lib/uucp/uuxqt uucp:uucp 6555 - - -# -# games of all kinds, toys -# all suid and sgid bits cleared. -# - -# bsd-games -/usr/games/atc games:games 0755 -/usr/games/battlestar games:games 0755 -/usr/games/canfield games:games 0755 -/usr/games/cribbage games:games 0755 -/usr/games/phantasia games:games 0755 -/usr/games/robots games:games 0755 -/usr/games/sail games:games 0755 -/usr/games/snake games:games 0755 -/usr/games/tetris-bsd games:games 0755 - -# Maelstrom -/usr/games/Maelstrom games:games 0755 - -# pachi -/usr/games/pachi games:games 0755 -/usr/games/martian games:games 0755 - -# nethack -/usr/lib/nethack/nethack.tty games:games 0755 - -# chromium, -/usr/games/chromium games:games 0755 - -# xscrabble -/usr/games/xscrab games:games 0755 - -# trackballs -/usr/games/trackballs games:games 0755 - -# ltris -/usr/games/ltris games:games 0755 - -# xlogical -/usr/games/xlogical games:games 0755 - -# lbreakout -/usr/games/lbreakout2 games:games 0755 - -# xgalaga -/usr/bin/xgalaga games:games 0755 - -# rocksndiamonds -/usr/games/rocksndiamonds games:games 0755 - -# gnome-games -/usr/bin/glines games:games 0755 -/usr/bin/gnibbles games:games 0755 -/usr/bin/gnobots2 games:games 0755 -/usr/bin/gnometris games:games 0755 -/usr/bin/gnomine games:games 0755 -/usr/bin/gnotravex games:games 0755 -/usr/bin/gnotski games:games 0755 -/usr/bin/gtali games:games 0755 -/usr/bin/mahjongg games:games 0755 -/usr/bin/same-gnome games:games 0755 - -# zypp (#385207) -/usr/sbin/zypp-refresh-wrapper root:root 0755 - -# PolicyKit (#295341) -/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755 -/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750 - -# polkit new (bnc#523377) -/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755 -/usr/bin/pkexec root:root 4755 - -# dbus-1 (#333361) -/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 - -# policycoreutils (#440596) -/usr/bin/newrole root:root 0755 - -# VirtualBox (#429725) -/usr/lib/virtualbox/VirtualBox root:vboxusers 0755 -/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755 -/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755 -/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755 -/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755 - -# open-vm-tools (bnc#474285) -/usr/bin/vmware-user-suid-wrapper root:root 0755 diff --git a/permissions.spec b/permissions.spec index 333015e..3c466e6 100644 --- a/permissions.spec +++ b/permissions.spec @@ -1,5 +1,5 @@ # -# spec file for package permissions (Version 2009.8.13) +# spec file for package permissions (Version 2009.08.24.1152) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -16,30 +16,22 @@ # # norootforbuild +# icecream 0 Name: permissions License: GPL v2 or later Group: Productivity/Security AutoReqProv: on -Version: 2009.8.13 +Version: 2009.08.24.1152 Release: 1 Provides: aaa_base:/etc/permissions Requires: /sbin/SuSEconfig PreReq: %fillup_prereq Summary: SUSE Linux Default Permissions -#Source: permissions.tar.bz2 -Source1: SuSEconfig.permissions -Source2: chkstat.c -Source3: chkstat.8 -Source4: sysconfig.security -Source5: permissions -Source6: permissions.easy -Source7: permissions.paranoid -Source8: permissions.secure -Source9: permissions.local -Source99: checkpermissionfiles.pl +Source: permissions-%{version}.tar.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build +Url: http://gitorious.org/opensuse/permissions %description This package contains specifications for permissions of specific files, @@ -51,39 +43,29 @@ local security setting (easy, secure, or paranoid) can be configured in Authors: -------- - Werner Fink - Roman Drahtmüller + Werner Fink + Roman Drahtmüller + Michael Schröder + Ludwig Nussel %prep +%setup -q %build -gcc -Wall $RPM_OPT_FLAGS %{SOURCE2} -o chkstat +make CFLAGS="-W -Wall $RPM_OPT_FLAGS" %install -mkdir -p $RPM_BUILD_ROOT/etc -mkdir -p $RPM_BUILD_ROOT%{_bindir} -mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8 -mkdir -p $RPM_BUILD_ROOT/sbin/conf.d -mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 755 chkstat $RPM_BUILD_ROOT%{_bindir} -install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/sbin/conf.d -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8 -install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc -install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc -install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc -install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc -install -m 644 %{SOURCE9} $RPM_BUILD_ROOT/etc +make DESTDIR="$RPM_BUILD_ROOT" install %post %{fillup_only -n security} %files %defattr(-,root,root,-) -/etc/permissions -/etc/permissions.easy -/etc/permissions.secure -/etc/permissions.paranoid +%config /etc/permissions +%config /etc/permissions.easy +%config /etc/permissions.secure +%config /etc/permissions.paranoid %config(noreplace) /etc/permissions.local %{_bindir}/chkstat %{_mandir}/man8/chkstat.8* diff --git a/sysconfig.security b/sysconfig.security deleted file mode 100644 index d5f84bd..0000000 --- a/sysconfig.security +++ /dev/null @@ -1,25 +0,0 @@ -## Path: System/Security/Permissions -## Description: Configuration of permissions on the system -## Type: list(set,warn,no) -## Default: set -## Config: permissions -# -# SuSEconfig can call chkstat to check permissions and ownerships for -# files and directories (using /etc/permissions). -# Setting to "set" will correct it, "warn" produces warnings, if -# something strange is found. Disable this feature with "no". -# -CHECK_PERMISSIONS="set" - -## Type: string -## Default: "easy local" -# -# SuSE Linux contains two different configurations for -# chkstat. The differences can be found in /etc/permissions.secure -# and /etc/permissions.easy. If you create your own configuration -# (e.g. permissions.foo), you can enter the extension here as well. -# -# (easy/secure local foo whateveryouwant). -# -PERMISSION_SECURITY="easy local" -