commit 5c4c097b76a6e24b902049b9d1881986ed2ee1f1188dd443a97c4d4e67d4cf88 Author: Wolfgang Frisch Date: Mon Jan 20 09:01:57 2025 +0000 - Update to version 1699_20250120: * profiles: whitelist nvidia-modprobe (bsc#1230950) OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=353 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..0fb6cd9 --- /dev/null +++ b/_service @@ -0,0 +1,16 @@ + + + https://github.com/openSUSE/permissions.git + git + master + 1699_%cd + enable + + + *.tar + xz + + + permissions-(.+_[0-9]+) + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..cd1ffcc --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/openSUSE/permissions.git + cbba970c587889e1bcbf2e62fadb1387534f1df6 \ No newline at end of file diff --git a/permissions-1699_20240522.tar.xz b/permissions-1699_20240522.tar.xz new file mode 100644 index 0000000..d22b0fc --- /dev/null +++ b/permissions-1699_20240522.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c7133fe91afc7d14e530a41a8ce6c9c303638e4b18b5ed331785e6362b4e2c3f +size 55940 diff --git a/permissions-1699_20241029.tar.xz b/permissions-1699_20241029.tar.xz new file mode 100644 index 0000000..494870f --- /dev/null +++ b/permissions-1699_20241029.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a6826bedd01d7ff7f3fbd8989dfdc64061bce360830f10a2fa89ac17cf810ed6 +size 56088 diff --git a/permissions-1699_20250120.tar.xz b/permissions-1699_20250120.tar.xz new file mode 100644 index 0000000..a7b8180 --- /dev/null +++ b/permissions-1699_20250120.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84ff461cd998090d082b4705e2ede7422a5d3273b61f395b1a9887e50f49363c +size 56088 diff --git a/permissions.changes b/permissions.changes new file mode 100644 index 0000000..c79a1f0 --- /dev/null +++ b/permissions.changes @@ -0,0 +1,2214 @@ +------------------------------------------------------------------- +Mon Jan 20 09:00:54 UTC 2025 - wolfgang.frisch@suse.com + +- Update to version 1699_20250120: + * profiles: whitelist nvidia-modprobe (bsc#1230950) + +------------------------------------------------------------------- +Tue Oct 29 15:11:37 UTC 2024 - matthias.gerstner@suse.com + +- Update to version 1699_20241029: + * Add RPM macros; moved from rpm-config-SUSE + * package RPM macros together with permctl, to avoid having to setup an + extra sub-package. + +------------------------------------------------------------------- +Fri May 24 10:37:10 UTC 2024 - matthias.gerstner@suse.com + +- Update to version 1699_20240522: + * man pages: minor corrections (bsc#1224822) + +------------------------------------------------------------------- +Tue May 21 07:40:14 UTC 2024 - filippo.bonazzi@suse.com + +- Update to version 1699_20240521: + * permctl: return special exit code in --warn mode if entries need fixing + +------------------------------------------------------------------- +Mon May 13 11:36:17 UTC 2024 - Matthias Gerstner + +- rename chkstat package to permctl to match the new binary names. Establish + Provides/Obsoletes to keep dependencies and old package cleanup in working + order, see: + + https://en.opensuse.org/openSUSE:Package_dependencies#Renaming_a_package + +- add BuildRequires for acl programs for tests to succeed. Still keep %check + disabled, because the new ACL test fails without /etc/subuid, /etc/subgid + setup. + +------------------------------------------------------------------- +Mon May 13 10:44:44 UTC 2024 - matthias.gerstner@suse.com + +- Update to version 1699_20240513: + * chkstat: has been renamed to permctl to better reflect its purpose. A + symlink for backward compatibility will remain in place. + * documentation: updated man pages + * ACL support: permctl (formerly chkstat) now supports an additional `+acl` + syntax to support assigning ACLs to files similar to the already existing + support for file based capabilities. + +------------------------------------------------------------------- +Mon Mar 11 12:14:10 UTC 2024 - matthias.gerstner@suse.com + +- Update to version 1699_20240307: + * build system: migrate from Makefile to Meson +- adjust spec file to meson build + +------------------------------------------------------------------- +Tue Mar 05 14:37:57 UTC 2024 - filippo.bonazzi@suse.com + +- Update to version 1699_20240305: + * chkstat: EntryProcessor: make error handling in safeOpen() clearer + * chkstat regtests: catch bad error reporting for non-existent files + * chkstat: EntryProcessor: don't report errors for non-existent files + +------------------------------------------------------------------- +Tue Feb 27 10:36:59 UTC 2024 - filippo.bonazzi@suse.com + +- Update to version 1699_20240223: + * chkstat: replace ProcMountState enum by simple bool member + * chkstat: minor style, spelling and documentation fixes + * chkstat: drop types.h header + * chkstat: make ProcMountState a private type of ChkStat + * chkstat: EntryProcessor: rename some member variables for improved readability + * chkstat: get rid of EntryContext and incorporate it into EntryProcessor + * chkstat: split-off EntryProcessor from Chkstat main class + * chkstat: define _GNU_SOURCE via Makefile + * chkstat: processEntries(): make loop variables const + * chkstat: split up checkHaveProc() + * chkstat: ProfileParser: fix a bug when applying capabilities in custom root + * chkstat: ProfileParser: make adding the root to paths transparent + * chkstat: ProfileParser: refactor the now reduced codebase + * chkstat: split off separate ProfileParser + * chkstat: ProfileEntry: mark dropXID() const to support const ProfileEntry use + * chkstat: parseProfile(): improve badProfileLine() calls + * chkstat: drop deprecated capability check + * chkstat: also move expandProfilePaths() into new VariableExpansions class + * chkstat: split off variable expansion logic into separate class + * chkstat: loadVariableExpansions(): a bit of refactoring + * chkstat: parseSysconfig(): bit of refactoring + * chkstat: remove deprecated CHECK_PERMISSIONS logic + * chkstat: move assorted types into dedicated header + * chkstat: replace #include guards by #pragma once + * chkstat: split off command line arguments from Chkstat main class + * chkstat: drop SaneValueArg wrapper + * chkstat: document new packages.d directory + * chkstat: drop TODO regarding ProfileEntry being changed on-the-fly + * chkstat: harmonize FileCapabilities API + * chkstat: support /usr/share/permissions/package.d for per-package drop-ins + * chkstat: minor coding style fixes + * chkstat: improve readability for rstrip() to strip trailing slashes + * chkstat: remove trailing slashes from paths found on the command line + * chkstat: add warning messages for rare error situations + * chkstat: open profiles right away without racy `access()` check. +- Remove fix_version.sh, handle version with services + +------------------------------------------------------------------- +Tue Feb 6 16:42:10 UTC 2024 - Wolfgang Frisch + +- Drop superfluous mkdir /usr/share/permissions/permissions.d + This is now created by the Makefile. See also + commit 5900bc1ffe6275298ded3c96dee03a5c98e4db1c + +------------------------------------------------------------------- +Tue Feb 06 11:06:15 UTC 2024 - paolo.perego@suse.com + +- Update to version 20240206: + * Whitelisting libgtop_server2 (bsc#1218921) + * Removing bogus whitespaces + * chkstat: harmonize and transform to a more compact coding and doc style + * gitignore: also ignore hidden ctags + * build: Create /usr/share/permissions/permissions.d for packagers + * profiles: drop /usr/sbin/lockdev which is no longer packaged in Factory + * profiles: drop /etc/ftpusers which is no longer shipped in netcfg + +------------------------------------------------------------------- +Tue Jan 30 12:13:45 UTC 2024 - Dominique Leuenberger + +- Create directory /usr/share/permissions/permissions.d for packages + to place their drop-ins. + +------------------------------------------------------------------- +Mon Nov 27 11:38:26 UTC 2023 - Daniel Garcia + +- Remove dependency on /usr/bin/python3, making scripts to depends on + the real python3 binary, not the link. bsc#1212476 + +------------------------------------------------------------------- +Fri Jun 02 10:36:05 UTC 2023 - matthias.gerstner@suse.com + +- Update to version 20230602: + * profiles: remove dropped pppoe-wrapper + +------------------------------------------------------------------- +Tue May 16 11:05:25 UTC 2023 - matthias.gerstner@suse.com + +- Update to version 20230516: + * common permissions: add icingaweb2 setgid directory (bsc#1211314) + +------------------------------------------------------------------- +Mon Apr 24 13:06:36 UTC 2023 - wolfgang.frisch@suse.com + +- Update to version 20230424: + * profiles: remove dead opiepasswd entry + (opie was removed via OBS sr#1065964). + +------------------------------------------------------------------- +Fri Feb 17 11:12:44 UTC 2023 - matthias.gerstner@suse.com + +- Update to version 20230217: + * shadow: newgidmap,newuidmap: use capabilities (bsc#1208309) + * profiles: whitelist kismet capabilities (bsc#1200954) (#171) + +------------------------------------------------------------------- +Tue Dec 20 10:04:33 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20221220: + * profiles: remove outdated kdesud, apptainer entries + +------------------------------------------------------------------- +Wed Sep 21 14:30:41 UTC 2022 - Dirk Müller + +- skip tests on qemu user builds + +------------------------------------------------------------------- +Tue Sep 13 08:38:26 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20220912: + * chkstat: also consider group controlled paths (bsc#1203018, + CVE-2022-31252) + +------------------------------------------------------------------- +Mon Aug 8 06:40:01 UTC 2022 - Dominique Leuenberger + +- Fix dependency from permissions-zypp-plugin to permissions. + +------------------------------------------------------------------- +Sat Jul 30 07:14:02 UTC 2022 - Stephan Kulow + +- Avoid different Versions for subpackages to fix build-compare + seeing the src rpm as equal. It replaces VERSION-RELEASE but + that will fail if subpackages use a different Version + +------------------------------------------------------------------- +Wed Jul 13 13:52:09 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20220713: + * postfix: add postlog setgid for maildrop binary (bsc#1201385) + * libexec migration: KDE utilities now properly place their helpers + * pccardctl: installation path has finally changed to /usr/sbin + +------------------------------------------------------------------- +Fri Mar 11 11:14:05 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20220309: + * apptainer whitelisting (bsc#1196145) + +------------------------------------------------------------------- +Fri Feb 25 09:34:23 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20220202: + * mount.nfs: switch from migration mode to fixed path in /usr/sbin + * changed gendered pronouns + * mgetty: faxq-helper now finally reside in /usr/libexec + +------------------------------------------------------------------- +Wed Sep 01 07:33:41 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20210901: + * libksysguard5: Updated path for ksgrd_network_helper + * kdesu: Updated path for kdesud + * sbin_dirs cleanup: these binaries have already been moved to /usr/sbin + * mariadb: revert auth_pam_tool to /usr/lib{,64} again + * cleanup: revert virtualbox back to plain /usr/lib + * cleanup: remove deprecated /etc/ssh/sshd_config + * hawk_invoke is not part of newer hawk2 packages anymore + * cleanup: texlive-filesystem: public now resides in libexec + * cleanup: authbind: helper now resides in libexec + * cleanup: polkit: the agent now also resides in libexec + * libexec cleanup: 'inn' news binaries now reside in libexec + +------------------------------------------------------------------- +Tue May 18 11:16:07 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20210518: + * whitelist please (bsc#1183669) + +------------------------------------------------------------------- +Tue May 18 08:02:20 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20210518: + * Fix enlightenment paths for 32-bit architectures + +------------------------------------------------------------------- +Mon Jan 25 12:14:46 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20210125: + * usbauth: drop compatibility variable for libexec + * usbauth: Updated path for usbauth-npriv + * profiles: finish usage of variable for polkit-agent-helper-1 + +------------------------------------------------------------------- +Fri Dec 4 12:58:20 UTC 2020 - Ludwig Nussel + +- move man page to where the documented files are + +------------------------------------------------------------------- +Wed Nov 11 09:30:37 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20201111: + * squid: remove basic_pam_auth which doesn't need special perms (bsc#1171569) + * mgetty: remove long dead (or never existing) locks directory (bsc#1171882) + * adjust squid pinger path (bsc#1171569) + * profiles: remove now superfluous squid pinger paths (bsc#1171569) + * ksgrd_network_helper: remove obviously wrong path + * etc/permissions: remove unnecessary, duplicate, outdated entries + * chkstat: implement support for variables in profile paths in new + variables.conf + * man pages: add documentation about variables, update copyrights + * profiles: use new variables feature to remove redundant entries + * profiles: prepare /usr/sbin versions of profile entries (bsc#1029961) + * Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env variables (bsc#1178475) + * Makefile: compile with LFO support to fix 32-bit emulation on 64-bit hosts (bsc#1178476) + * README: added information about know limitations of this approach +- adjusted spec file: + - package new variables.conf + - apply %{optflags} correctly via CXXFLAGS variable + - drop FSCAPS_DEFAULT_ENABLED which isn't recognized anymore by the + refactored chkstat sources. This is now the default. + +------------------------------------------------------------------- +Thu Oct 08 09:19:32 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20201008: + * cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164) + * drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) + +------------------------------------------------------------------- +Wed Sep 30 09:26:44 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200930: + * whitelist Xorg setuid-root wrapper (bsc#1175867) + +------------------------------------------------------------------- +Wed Sep 09 10:00:18 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200909: + * screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879) + +------------------------------------------------------------------- +Fri Sep 04 10:57:51 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200904: + * Add /usr/libexec for cockpit-session as new path + * physlock: whitelist with tight restrictions (bsc#1175720) + +------------------------------------------------------------------- +Wed Aug 26 12:33:11 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200826: + * mtr-packet: stop requiring dialout group + * etc/permissions: fix mtr permission + * list_permissions: improve output format + * list_permissions: support globbing in --path argument + * list_permissions: implement simplifications suggested in PR#92 + * list_permissions: new tool for better path configuration overview + +------------------------------------------------------------------- +Tue Aug 11 12:06:30 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200811: + * regtest: support new getcap output format in libcap-2.42 + * regtest: print individual test case errors to stderr + +------------------------------------------------------------------- +Mon Jul 27 12:18:04 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200727: + * etc/permissions: remove static /var/spool/* dirs + * etc/permissions: remove outdated entries + * etc/permissions: remove unnecessary static dirs and devices + * screen: remove now unused /var/run/uscreens + +------------------------------------------------------------------- +Fri Jul 10 09:50:04 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200710: + * Revert "etc/permissions: remove entries for bind-chrootenv". This + currently conflicts with the way the CheckSUIDPermissions rpmlint-check is + implemented. + +------------------------------------------------------------------- +Tue Jul 7 15:56:02 UTC 2020 - Callum Farmer + +- Removed dbus-libexec.patch: contained in upstream + +------------------------------------------------------------------- +Tue Jul 07 13:25:40 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200624: + * rework permissions.local text (boo#1173221) + * dbus-1: adjust to new libexec dir location (bsc#1171164) + * permission profiles: reinstate kdesud for kde5 + * etc/permissions: remove entries for bind-chrootenv + * etc/permissions: remove traceroute entry + * VirtualBox: remove outdated entry which is only a symlink any more + * /bin/su: remove path refering to symlink + * etc/permissions: remove legacy RPM directory entries + * /etc/permissions: remove outdated sudo directories + * singularity: remove outdated setuid-binary entries + * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588) + * dbus-1: remove deprecated alternative paths + * PolicyKit: remove outdated entries last used in SLE-11 + * pcp: remove no longer needed / conflicting entries + * gnats: remove entries for package removed from Factory + * kdelibs4: remove entries for package removed from Factory + * v4l-base: remove entries for package removed from Factory + * mailman: remove entries for package deleted from Factory + * gnome-pty-helper: remove dead entry no longer part of the vte package + * gnokii: remove entries for package no longer in Factory + * xawtv (v4l-conf): correct group ownership in easy profile + * systemd-journal: remove unnecessary profile entries + * thttp: make makeweb entry usable in the secure profile (bsc#1171580) + +------------------------------------------------------------------- +Tue Jun 16 13:23:23 UTC 2020 - malte.kraus@suse.com + +- dbus-1: adjust to new libexec dir location (bsc#1171164). This is + temporarily done through the patch in dbus-libexec.patch because + we are not completely certain the stability of current git. +- run chkstat test suite during RPM build + +------------------------------------------------------------------- +Tue May 26 13:03:52 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200526: + * profiles: add entries for enlightenment (bsc#1171686) + +------------------------------------------------------------------- +Wed May 20 09:02:14 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200520: + * permissions fixed profile: utempter: reinstate libexec compatibility entry + +------------------------------------------------------------------- +Tue May 19 09:14:38 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200519: + * chkstat: fix sign conversion warnings on 32-bit architectures + * chkstat: allow simultaneous use of `--set` and `--system` + * regtest: adjust TestUnkownOwnership test to new warning output behaviour + +------------------------------------------------------------------- +Mon May 18 12:06:10 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200518: + * whitelist texlive public binary (bsc#1171686) + +------------------------------------------------------------------- +Fri May 15 09:49:48 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200514: + * fixed permissions: adjust to new libexec dir location (bsc#1171164) + (affects utempter path) + +------------------------------------------------------------------- +Wed May 13 12:09:17 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200513: + * major rewrite of the chkstat tool + * setuid bit for cockpit (bsc#1169614) + +------------------------------------------------------------------- +Thu May 07 09:50:15 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200506: + * add whitelist for files in /usr/lib to be also allowed in + /usr/libexec (bsc#1171164) + +------------------------------------------------------------------- +Tue Mar 24 12:52:07 UTC 2020 - jsegitz@suse.de + +- Update to version 20200324: + * whitelist s390-tools setgid bit on log directory (bsc#1167163) + * whitelist WMP (bsc#1161335) + * regtest: improve readability of path variables by using literals + * regtest: adjust test suite to new path locations in /usr/share/permissions + * regtest: only catch explicit FileNotFoundError + * regtest: provide valid home directory in /root + * regtest: mount permissions src repository in /usr/src/permissions + * regtest: move initialialization of TestBase paths into the prepare() function + * chkstat: suppport new --config-root command line option + * fix spelling of icingacmd group + +------------------------------------------------------------------- +Fri Feb 28 12:00:44 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200228: + * chkstat: fix readline() on platforms with unsigned char + +------------------------------------------------------------------- +Thu Feb 27 12:29:29 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200227: + * remove capability whitelisting for radosgw + * whitelist ceph log directory (bsc#1150366) + * adjust testsuite to post CVE-2020-8013 link handling + * testsuite: add option to not mount /proc + * do not follow symlinks that are the final path element: CVE-2020-8013 + * add a test for symlinked directories + * fix relative symlink handling + * include cpp compat headers, not C headers + * Move permissions and permissions.* except .local to /usr/share/permissions + * regtest: fix the static PATH list which was missing /usr/bin + * regtest: also unshare the PID namespace to support /proc mounting + * regtest: bindMount(): explicitly reject read-only recursive mounts + * Makefile: force remove upon clean target to prevent bogus errors + * regtest: by default automatically (re)build chkstat before testing + * regtest: add test for symlink targets + * regtest: make capability setting tests optional + * regtest: fix capability assertion helper logic + * regtests: add another test case that catches set*id or caps in world-writable sub-trees + * regtest: add another test that catches when privilege bits are set for special files + * regtest: add test case for user owned symlinks + * regtest: employ subuid and subgid feature in user namespace + * regtest: add another test case that covers unknown user/group config + * regtest: add another test that checks rejection of insecure mixed-owner paths + * regtest: add test that checks for rejection of world-writable paths + * regtest: add test for detection of unexpected parent directory ownership + * regtest: add further helper functions, allow access to main instance + * regtest: introduce some basic coloring support to improve readability + * regtest: sort imports, another piece of rationale + * regtest: add capability test case + * regtest: improve error flagging of test cases and introduce warnings + * regtest: support caps + * regtest: add a couple of command line parameter test cases + * regtest: add another test that checks whether the default profile works + * regtests: add tests for correct application of local profiles + * regtest: add further test cases that test correct profile application + * regtest: simplify test implementation and readability + * regtest: add helpers for permissions.d per package profiles + * regtest: support read-only bind mounts, also bind-mount permissions repo + * tests: introduce a regression test suite for chkstat + * Makefile: allow to build test version programmatically + * README.md: add basic readme file that explains the repository's purpose + * chkstat: change and harmonize coding style + * chkstat: switch to C++ compilation unit +- add suse_version to end of permissions package version + +------------------------------------------------------------------- +Thu Feb 13 12:10:41 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200213: + * remove obsolete/broken entries for rcp/rsh/rlogin + * chkstat: handle symlinks in final path elements correctly + * Revert "Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"" + * Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)" + +------------------------------------------------------------------- +Tue Feb 04 12:20:43 UTC 2020 - matthias.gerstner@suse.com + +- Update to version 20200204: + * mariadb: settings for new auth_pam_tool (bsc#1160285) + * chkstat: + - add read-only fallback when /proc is not mounted (bsc#1160764) + - capability handling fixes (bsc#1161779) + - better error message when refusing to fix dir perms (#32) + +------------------------------------------------------------------- +Mon Jan 27 11:58:17 UTC 2020 - malte.kraus@suse.com + +- Update to version 20200127: + * fix paths of ksysguard whitelisting + * fix zero-termination of error message for overly long paths + +------------------------------------------------------------------- +Thu Dec 05 14:31:49 UTC 2019 - malte.kraus@suse.com + +- Update to version 20191205: + * fix privilege escalation through untrusted symlinks (bsc#1150734, + CVE-2019-3690) + +------------------------------------------------------------------- +Wed Nov 27 12:47:23 UTC 2019 - matthias.gerstner@suse.com + +- Update to version 20191122: + * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) + +------------------------------------------------------------------- +Mon Nov 18 09:52:14 UTC 2019 - malte.kraus@suse.com + +- Update to version 20191118: + * whitelist ksysguard network helper (bsc#1151190) + +------------------------------------------------------------------- +Tue Nov 12 12:45:12 UTC 2019 - malte.kraus@suse.com + +- Update to version 20191112: + * fix syntax of paranoid profile + * fix squid permissions (bsc#1093414, CVE-2019-3688) + +------------------------------------------------------------------- +Thu Oct 3 12:38:09 UTC 2019 - Tomáš Chvátal + +- Add || exit 0 on the scriptlet as it can actually fail in + rootless containers with podman. This makes sure the zypper + does not abort the container creation. + * the actual error looks like: + /dev/zero: chown: Operation not permitted + +------------------------------------------------------------------- +Fri Sep 13 11:19:42 UTC 2019 - jsegitz@suse.de + +- Update to version 20190913: + * setgid bit for nagios directory (bsc#1028975, bsc#1150345) +- This also restructures the sources for the permission package + +------------------------------------------------------------------- +Fri Aug 30 14:20:09 UTC 2019 - malte.kraus@suse.com + +- Update to version 20190830: + * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687) + +------------------------------------------------------------------- +Thu Aug 29 15:38:28 UTC 2019 - malte.kraus@suse.com + +- Update to version 20190829: + * add one more missing slash for icinga2 + * fix more missing slashes for directories + +------------------------------------------------------------------- +Tue Aug 20 08:56:35 UTC 2019 - malte.kraus@suse.com + +- Update to version 20190820: + * cron directory permissions: add slashes + +------------------------------------------------------------------- +Thu Jul 11 14:21:23 UTC 2019 - malte.kraus@suse.com + +- Update to version 20190711: + * iputils: Add capability permissions for clockdiff (bsc#1140994) + +------------------------------------------------------------------- +Wed Jul 10 12:29:08 UTC 2019 - opensuse-packaging@opensuse.org + +- Update to version 20190710: + * iputils/ping: Drop effective capability + * iputils/ping6: Remove definitions + +------------------------------------------------------------------- +Thu Jun 13 08:57:42 UTC 2019 - meissner@suse.com + +- Update to version 20190521: + * singluarity: Add starter-suid for version 3.2.0 + * adjust settings for amanda to current binary layout + +------------------------------------------------------------------- +Wed Jun 5 12:02:18 UTC 2019 - + +- Move BuildRequires: back to main package + +------------------------------------------------------------------- +Wed Jun 5 10:38:58 UTC 2019 - + +- Moved requires to subpackages (bsc#1137257) + +------------------------------------------------------------------- +Thu May 2 09:46:05 UTC 2019 - jsegitz@suse.com + +- Fixed versions. Removed set_version from _service file, doesn't + work with the new packaging. Call fix_version.sh to set current + date as version instead +- Fixed requires for -config and -zypp-plugin + +------------------------------------------------------------------- +Tue Apr 30 08:57:37 UTC 2019 - opensuse-packaging@opensuse.org + +- Update to version 20190429: + * removed entry for /var/cache/man. Conflicts with packaging and man:man is + the better setting anyway (bsc#1133678) + * fixed error in description of permissions.paranoid. Make it clear that this + is not a usable profile, but intended as a base for own developments + +------------------------------------------------------------------- +Sat Apr 13 17:12:12 UTC 2019 - Jan Engelhardt + +- Fix RPM group, fix hard requirement on documentation. + Update description typography. + +------------------------------------------------------------------- +Thu Apr 11 11:18:36 UTC 2019 - jsegitz@suse.com + +- Created new subpackages -config, -doc and standalone package chkstat + where we can start a better versioning scheme and require it from the + original package + +------------------------------------------------------------------- +Tue Feb 12 14:29:45 UTC 2019 - jsegitz@suse.com + +- Update to version 20190212: + * removed old entry for wodim + * removed old entry for netatalk + * removed old entry for suidperl + * removed old entriy for utempter + * removed old entriy for hostname + * removed old directory entries + * removed old entry for qemu-bridge-helper + * removed old entries for pccardctl + * removed old entries for isdnctrl + * removed old entries for unix(2)_chkpwd + * removed old entries for mount.nfs + * removed old entries for (u)mount + * removed old entry for fileshareset + * removed old entries for KDE + * removed old entry for heartbeat + * removed old entry for gnome-control-center + * removed old entry for pcp + * removed old entry for lpdfilter + * removed old entry for scotty + * removed old entry for ia32el + * removed old entry for squid + * removed old qpopper whitelist + * removed pt_chown entries. Not needed anymore and a bad idea anyway + * removed old majordomo entry + * removed stale entries for old ncpfs tools + * removed old entry for rmtab + * Fixed typo in icinga2 whitelist entry + * New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale + entries for VirtualBox + * Removed whitelist for /usr/bin/su.core. According to comment a temporary + hack introduced 2012 to help moving su from coretuils to util-linux. I + couldn't find it anywhere, so we don't need it anymore + * Remove entry for /usr/bin/yaps. We don't ship it anymore and the group that + is used doesn't exists anymore starting with Leap 15, so it will not work + there anyway. Users using this (old) package can do this individually + * removed entry for /etc/ftpaccess. We currently don't have it anywhere (and + judging from my search this has been the case for quite a while) + * Ensure consistency of entries, otherwise switching between settings becomes + problematic + * Fix spelling of SUSE + * permissions.local: fix typo + +------------------------------------------------------------------- +Fri Nov 16 15:15:04 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20181116: + * zypper-plugin: new plugin to fix bsc#1114383 + +------------------------------------------------------------------- +Mon Nov 12 12:14:18 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20181112: + * singularity: remove -suid binaries that have been dropped since version + 2.4 (bsc#1028304) + +------------------------------------------------------------------- +Tue Oct 30 12:13:21 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20181030: + * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds + +------------------------------------------------------------------- +Mon Oct 29 16:59:05 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20181029: + * setuid whitelisting: add fusermount3 (bsc#1111230) + +------------------------------------------------------------------- +Thu Oct 25 16:13:46 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20181025: + * setuid whitelisting: add authbind binary (bsc#1111251) + +------------------------------------------------------------------- +Mon Aug 27 09:12:35 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20180827: + * setuid whitelisting: add firejail binary (bsc#1059013) + +------------------------------------------------------------------- +Fri Aug 10 09:22:35 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20180810: + * setuid whitelisting: add lxc-user-nic (bsc#988348) + +------------------------------------------------------------------- +Thu Aug 02 16:13:33 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20180802: + * whitelisting: added smc-tools LD_PRELOAD library (bsc#1102956) + +------------------------------------------------------------------- +Tue Jul 24 08:49:20 UTC 2018 - opensuse-packaging@opensuse.org + +- Update to version 20180724: + * Fix wrong file path in help string + * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) + +------------------------------------------------------------------- +Tue May 08 06:11:27 UTC 2018 - astieger@suse.com + +- Update to version 20180508: + * Capabilities for usage of Wireshark for non-root (bsc#957624) + +------------------------------------------------------------------- +Thu Jan 25 12:52:52 UTC 2018 - meissner@suse.com + +- Update to version 20180125: + * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) + * make btmp root:utmp (bsc#1050467) + +------------------------------------------------------------------- +Mon Jan 15 09:56:48 UTC 2018 - krahmer@suse.com + +- Update to version 20180115: + * - polkit-default-privs: usbauth (bsc#1066877) + +------------------------------------------------------------------- +Mon Dec 4 18:45:53 UTC 2017 - kukuk@suse.com + +- fillup is required for post, not pre installation + +------------------------------------------------------------------- +Thu Nov 30 08:24:44 UTC 2017 - mpluskal@suse.com + +- Cleanup spec file with spec-cleaner +- Drop conditions/definitions related to old distros + +------------------------------------------------------------------- +Wed Nov 29 17:02:20 UTC 2017 - astieger@suse.com + +- Update to version 20171129: + * permissions: adding gvfs (bsc#1065864) + * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 + * Allow fping cap_net_raw (bsc#1047921) + +------------------------------------------------------------------- +Thu Nov 23 13:41:09 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Tue Nov 21 14:03:29 UTC 2017 - krahmer@suse.com + +- Update to version 20171121: + * - permissions: adding kwayland (bsc#1062182) + +------------------------------------------------------------------- +Mon Nov 06 15:55:58 UTC 2017 - eeich@suse.com + +- Update to version 20171106: + * Allow setuid root for singularity (group only) bsc#1028304 + +------------------------------------------------------------------- +Wed Oct 25 15:51:45 UTC 2017 - jsegitz@suse.com + +- Update to version 20171025: + * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid) + +------------------------------------------------------------------- +Thu Sep 28 10:48:31 UTC 2017 - astieger@suse.com + +- Update to version 20170928: + * Fix invalid syntax bsc#1048645 bsc#1060738 + +------------------------------------------------------------------- +Wed Sep 27 14:50:11 UTC 2017 - pgajdos@suse.com + +- Update to version 20170927: + * fix typos in manpages + +------------------------------------------------------------------- +Fri Sep 22 14:00:15 UTC 2017 - astieger@suse.com + +- Update to version 20170922: + * Allow setuid root for singularity (group only) bsc#1028304 + +------------------------------------------------------------------- +Wed Sep 13 16:53:20 UTC 2017 - astieger@suse.com + +- Update to version 20170913: + * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645) + +------------------------------------------------------------------- +Wed Sep 06 09:44:00 UTC 2017 - opensuse-packaging@opensuse.org + +- Update to version 20170906: + * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 + * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425) + +------------------------------------------------------------------- +Wed Jun 7 10:58:37 UTC 2017 - dimstar@opensuse.org + +- BuildIgnore group(trusted): we don't really care for this group + in the buildroot and do not want to get system-users into the + bootstrap cycle as we can avoid it. + +------------------------------------------------------------------- +Sat Jun 3 07:21:24 UTC 2017 - meissner@suse.com + +- Require: group(trusted), as we are handing it out to some unsuspecting + binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc) + +------------------------------------------------------------------- +Fri Jun 2 10:55:09 UTC 2017 - meissner@suse.com + +- Update to version 20170602: + * make /etc/ppp owned by root:root. The group dialout usage is no longer used + +------------------------------------------------------------------- +Sun Aug 07 12:00:00 UTC 2016 - meissner@suse.com + +- Update to version 20160807: + * suexec2 is a symlink, no need for permissions handling + +------------------------------------------------------------------- +Tue Aug 02 08:47:53 UTC 2016 - meissner@suse.com + +- Update to version 20160802: + * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) + * root:shadow 0755 for newuidmap/newgidmap + +------------------------------------------------------------------- +Tue Aug 2 08:29:32 UTC 2016 - krahmer@suse.com + +- adding qemu-bridge-helper mode 04750 (bsc#988279) + +------------------------------------------------------------------- +Mon May 23 09:15:22 UTC 2016 - dimstar@opensuse.org + +- Introduce _service to easier update the package. For simplicity, + change the version from yyyy.mm.dd to yyyymmdd (which is eactly + %cd in the _service defintion). Upgrading is no problem. + +------------------------------------------------------------------- +Mon May 23 09:00:11 UTC 2016 - meissner@suse.com + +- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352) + +------------------------------------------------------------------- +Wed Mar 30 11:14:41 UTC 2016 - meissner@suse.com + +- permissions: adding gstreamer ptp file caps (bsc#960173) + +------------------------------------------------------------------- +Fri Jan 15 14:19:44 UTC 2016 - meissner@suse.com + +- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060) + +------------------------------------------------------------------- +Tue Jan 12 14:30:01 UTC 2016 - meissner@suse.com + +- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363 + +------------------------------------------------------------------- +Thu Oct 29 09:40:30 UTC 2015 - meissner@suse.com + +- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 +- added missing / to the squid specific directories (bsc#950557) + +------------------------------------------------------------------- +Mon Sep 28 14:27:19 UTC 2015 - meissner@suse.com + +- adjusted radosgw to root:www mode 0750 (bsc#943471) + +------------------------------------------------------------------- +Mon Sep 28 13:35:10 UTC 2015 - meissner@suse.com + +- radosgw can get capability cap_bind_net_service (bsc#943471) + +------------------------------------------------------------------- +Mon Jun 8 16:22:39 UTC 2015 - meissner@suse.com + +- remove /usr/bin/get_printing_ticket; (bnc#906336) + +------------------------------------------------------------------- +Wed Dec 3 16:36:54 UTC 2014 - krahmer@suse.com + +- Added iouyap capabilities (bnc#904060) + +------------------------------------------------------------------- +Wed Nov 5 16:07:01 UTC 2014 - meissner@suse.com + +- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) +- permissions: incorporating squid changes from bnc#891268 +- hint that chkstat --system --set needs to be run after editing bnc#895647 + +------------------------------------------------------------------- +Tue Aug 26 13:00:07 UTC 2014 - meissner@suse.com + +- Do not applies permissions from backup files (~ / .rpmsave / .rpmnew) (bnc#893370) +- do not mention SuSEconfig anymore, long dead (bnc#843083) + +------------------------------------------------------------------- +Fri Aug 1 11:25:40 UTC 2014 - meissner@suse.com + +- append a / to /var/log/journal so the framework makes sure it is a directory bnc#888151 + +------------------------------------------------------------------- +Wed Jul 23 11:38:42 UTC 2014 - meissner@suse.com + +- make innbind mode 4550 (bnc#876287) +- permissions: Adding systemd-journal directory (bnc#888151) + +------------------------------------------------------------------- +Mon Jul 21 13:31:48 UTC 2014 - krahmer@suse.com + +- permissions: Adding new kdesud path for KDE5 (bnc#872276) + +------------------------------------------------------------------- +Tue Jul 1 11:19:57 UTC 2014 - meissner@suse.com + +- vlock_main lost its permission checking, so remove from here. + +------------------------------------------------------------------- +Mon Jun 16 11:46:15 UTC 2014 - meissner@suse.com + +- opiesu,wodim,vlock-main have no setuid root. (bnc#882035) + +------------------------------------------------------------------- +Thu Jun 5 08:10:33 UTC 2014 - meissner@suse.com + +- tighten /etc/crontab to be always mode 600, even in easy (bnc#867799) + +------------------------------------------------------------------- +Tue Apr 15 14:24:36 UTC 2014 - meissner@suse.com + +- duplicate /var/run entries to /run (bnc#873708) + +------------------------------------------------------------------- +Mon Mar 24 10:31:20 UTC 2014 - krahmer@suse.com + +- permissions: incorporating capability for mtr, removing +s from ping + (bnc#865351) + +------------------------------------------------------------------- +Mon Oct 28 10:46:48 UTC 2013 - meissner@suse.com + +- GIT repo moved to GITHUB. +- removed the setuid bit from "eject" (bnc#824406) + +------------------------------------------------------------------- +Thu Aug 22 11:40:20 UTC 2013 - meissner@suse.com + +- do not use magic constants for strlen (bnc#834790 + +------------------------------------------------------------------- +Wed Aug 21 12:53:39 UTC 2013 - meissner@suse.com + +- Chrome sandbox also allowed to be setuid root in secure mode now (bnc#718016) + +------------------------------------------------------------------- +Fri Aug 16 13:25:56 UTC 2013 - meissner@suse.com + +- use PERMISSION_FSCAPS + +------------------------------------------------------------------- +Fri Aug 16 13:08:10 UTC 2013 - meissner@suse.com + +- it is PERMISSIONS_FSCAPS (bnc#834790) +- qemu-bridge-helper has no special privileges currently (bnc#765948) + +------------------------------------------------------------------- +Wed Jun 12 11:10:18 UTC 2013 - meissner@suse.com + +- utempter helper binary moved in new version to /usr/lib/utempter/utempter (bnc#823302) + +------------------------------------------------------------------- +Mon Jun 10 09:46:15 UTC 2013 - meissner@suse.com + +- cdrtools: allow some filesystem capabilities for more stable CD/DVD + burning in "easy" mode. (bnc#550021) (cap_sys_nice, cap_sys_rawio, + cap_sys_resource, cap_ipc_lock) + +------------------------------------------------------------------- +Wed May 8 14:27:12 UTC 2013 - meissner@suse.com + +- leave out readcd,cdda2wav,cdrecord until it is ready for the distro (bnc#550021) + +------------------------------------------------------------------- +Sat May 4 08:32:17 UTC 2013 - meissner@suse.com + +- cdrecord currently has no special permissions approved (bnc#550021) +- append a / + +------------------------------------------------------------------- +Tue Jan 29 14:00:08 UTC 2013 - meissner@suse.com + +- Allow pcp to have stickybit worldwriteable directories + +------------------------------------------------------------------- +Tue Nov 27 15:41:16 UTC 2012 - meissner@suse.com + +- add /usr/bin/dumpcap to watchlist +- make fscaps=1 the default on "" +- added PERMISSION_FSCAPS to the sysconfig/security fillup template. +- /bin/ping(6) was moved to /usr/bin/ping(6) /bin/eject was moved to /usr/bin/eject + +------------------------------------------------------------------- +Wed Nov 21 13:56:34 UTC 2012 - lnussel@suse.de + +- apply permissions settings in %post. During initial installation + some packages might be installed before the permissions package + due to dependency loops so we need to make sure their settings + are applied too. Also, on update of the permissions package + changed permission settings may need to be applied. + +------------------------------------------------------------------- +Mon Oct 15 11:49:04 UTC 2012 - lnussel@suse.de + +- temporarily add su.core. workaround for the migration of su from + coreutils to util-linux needs to be reverted as soon as util-linux + is also in + +------------------------------------------------------------------- +Tue Sep 25 14:55:21 UTC 2012 - meissner@suse.com + +- no longer install SuSEconfig.permissions, SuSEconfig is gone. + +------------------------------------------------------------------- +Fri Jul 6 09:01:18 UTC 2012 - meissner@suse.com + +- enable ecryptfs-utils setuid root mount wrapper (bnc#740110) in .easy + +------------------------------------------------------------------- +Mon Jun 4 11:37:27 UTC 2012 - lnussel@suse.de + +- remove /var/run/vi.recover (bnc#765288) + +------------------------------------------------------------------- +Fri Jun 1 07:23:46 UTC 2012 - lnussel@suse.de + +- remove /var/cache/fonts (bnc#764885) +- remove /var/lib/xemacs/lock/ (bnc#764887) + +------------------------------------------------------------------- +Thu May 31 11:07:25 UTC 2012 - lnussel@suse.de + +- Revert "Use credentials from within the root file system" + breaks use of --root option in brp-05-permissions + +------------------------------------------------------------------- +Tue May 15 14:46:22 UTC 2012 - lnussel@suse.de + +- print warning when requested to check not listed files +- Use credentials from within the root file system + +------------------------------------------------------------------- +Wed Feb 8 08:15:50 UTC 2012 - lnussel@suse.de + +- add duplicate entries for / and /usr (bnc#745622) + +------------------------------------------------------------------- +Tue Feb 7 12:09:17 UTC 2012 - lnussel@suse.de + +- add scripts for automatic package sumission +- drop zypp-refresh-wrapper (bnc#738677) + +------------------------------------------------------------------- +Mon Nov 7 09:39:43 UTC 2011 - lnussel@suse.de + +- disable run time fscaps detection (bnc#728312) + +------------------------------------------------------------------- +Fri Sep 23 08:37:21 UTC 2011 - lnussel@suse.de + +- set permission by default in SuSEconfig mode as permissions are + only set when called explicitly anyways (bnc#720010). + +------------------------------------------------------------------- +Wed Sep 21 08:00:28 UTC 2011 - lnussel@suse.de + +- fix typo in path + +------------------------------------------------------------------- +Tue Sep 20 14:47:30 UTC 2011 - lnussel@suse.de + +- remove world writable /var/crash again (bnc#438041) +- remove world writable permissions from /usr/src/packages (bnc#719217) + +------------------------------------------------------------------- +Tue Sep 20 13:38:48 UTC 2011 - lnussel@suse.de + +- add chromium browser sandbox helper (bnc#718016) +- don't offer PERMISSION_SECURITY in config anymore +- remove setgid games bits (bnc#429882) + +------------------------------------------------------------------- +Tue Jun 28 12:53:22 UTC 2011 - lnussel@suse.de + +- remove setuid bit from opiesu (bnc#698772) + +------------------------------------------------------------------- +Fri Jun 17 09:46:29 UTC 2011 - lnussel@suse.de + +- disable fscaps by default as factory kernel still doesn't have the + required patch for auto detection + +------------------------------------------------------------------- +Thu May 26 15:23:49 UTC 2011 - lnussel@suse.de + +- read /sys/kernel/fscaps for fscaps settings + +------------------------------------------------------------------- +Thu May 12 11:48:36 UTC 2011 - lnussel@suse.de + +- change path to gnome-pty-helper (bnc#690202) + +------------------------------------------------------------------- +Mon Mar 7 15:08:33 UTC 2011 - lnussel@suse.de + + - setuid bit on VBoxNetDHCP (bnc#669055) + +------------------------------------------------------------------- +Mon Feb 14 08:09:21 UTC 2011 - lnussel@suse.de + +- fix hawk permissions (bnc#665045) + +------------------------------------------------------------------- +Wed Feb 9 13:25:29 UTC 2011 - lnussel@suse.de + +- add hawk (bnc#665045) + +------------------------------------------------------------------- +Thu Dec 2 10:20:11 UTC 2010 - lnussel@suse.de + +- remove Xorg setuid bit (bnc#632737) + +------------------------------------------------------------------- +Thu Nov 18 10:52:39 UTC 2010 - lnussel@suse.de + +- update permissions of lastlog, faillog, wtmp, utmp and btmp + +------------------------------------------------------------------- +Wed Nov 17 11:02:37 UTC 2010 - lnussel@suse.de + +- remove permissions handling for /etc/inittab, /etc/inetd.conf and /etc/mtab +- revert previous commit, done in coreutils instead + +------------------------------------------------------------------- +Tue Nov 16 16:10:09 UTC 2010 - lnussel@suse.de + +- change fillup deps to requires to avoid coreutils loop + +------------------------------------------------------------------- +Tue Nov 16 15:10:53 UTC 2010 - lnussel@suse.de + +- change utempter from group tty to group utmp (bnc#652877) + +------------------------------------------------------------------- +Tue Nov 9 12:51:10 UTC 2010 - lnussel@suse.de + +- add permissions man page +- update docu +- add --level option +- set perms for setuid files always if owner changes +- strip root dir when printing file names + +------------------------------------------------------------------- +Tue Nov 9 09:25:17 UTC 2010 - lnussel@suse.de + +- add option to explicitly warn only + +------------------------------------------------------------------- +Fri Nov 5 14:00:30 UTC 2010 - lnussel@suse.de + +- reimplement the core features in chkstat itself instead of + SuSEconfig.permissions + +------------------------------------------------------------------- +Thu Nov 4 16:17:25 UTC 2010 - lnussel@suse.de + +- don't make changes if not called explicitly + +------------------------------------------------------------------- +Wed Nov 3 14:16:54 UTC 2010 - lnussel@suse.de + +- add support for file system capabilities + +------------------------------------------------------------------- +Mon Oct 18 13:37:40 UTC 2010 - lnussel@suse.de + +- remove vlock (bnc#629236#c13) + +------------------------------------------------------------------- +Tue Oct 5 13:33:08 UTC 2010 - lnussel@suse.de + +- update path to gnome-pty-helper (bnc#634199) + +------------------------------------------------------------------- +Wed Sep 22 15:29:43 UTC 2010 - lnussel@suse.de + + - vlock -> vlock-main (bnc#629236) + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- +Fri Apr 23 09:41:10 UTC 2010 - lnussel@suse.de + + - add lockdev (bnc#588325) + +------------------------------------------------------------------- +Wed Apr 7 14:45:28 UTC 2010 - lnussel@suse.de + +- update for innd update (bnc#594393) +- remove lppasswd (bnc#574336) + +------------------------------------------------------------------- +Tue Dec 8 10:16:07 CET 2009 - jengelh@medozas.de + +- enable parallel building + +------------------------------------------------------------------- +Wed Oct 7 14:54:21 UTC 2009 - lnussel@suse.de + +- add /usr/lib/virtualbox/VBoxNetAdpCtl (bnc#533550) + +------------------------------------------------------------------- +Thu Aug 27 10:00:19 UTC 2009 - lnussel@suse.de + +- add /usr/src/packages/BUILDROOT/ for rpm 4.7 + +------------------------------------------------------------------- +Wed Aug 26 13:09:55 UTC 2009 - lnussel@suse.de + +- add more arm directories to /usr/src/packages/RPMS/ + +------------------------------------------------------------------- +Mon Aug 24 09:53:25 UTC 2009 - lnussel@suse.de + +- remove permissions handling for traceroute6 and cdrecord which are + symlinks nowadays + +------------------------------------------------------------------- +Thu Aug 20 08:30:02 UTC 2009 - lnussel@suse.de + +- fix weird sendfax permissions (bnc#525954) + +------------------------------------------------------------------- +Wed Aug 19 11:17:53 UTC 2009 - lnussel@suse.de + +- permissions now maintained at gitorious so use tarball instead of + individual files + +------------------------------------------------------------------- +Wed Aug 12 09:57:12 CEST 2009 - meissner@suse.de + +- added polkit setuid root helpers after review (bnc#523377) + +------------------------------------------------------------------- +Fri Aug 7 10:42:53 CEST 2009 - meissner@suse.de + +- also added KDE4 start_kdeinit (same source as kde3 start_kdeinit), + bnc#523833 + +------------------------------------------------------------------- +Thu Aug 6 16:38:20 CEST 2009 - meissner@suse.de + +- open-vm-tools gets setuid root:root in mode easy (bnc#474285) + +------------------------------------------------------------------- +Tue Jul 28 13:00:44 UTC 2009 - lnussel@suse.de + + - hylafax directory permissions are handled by the package + - change group of amanda binaries (bnc#523006) + +------------------------------------------------------------------- +Mon Mar 2 11:26:53 CET 2009 - lnussel@suse.de + +- add some missing slashes to directories and remove entries for at + and cron (bnc#480855) + +------------------------------------------------------------------- +Tue Nov 25 14:10:13 CET 2008 - lnussel@suse.de + +- add VirtualBox (bnc#429725) + +------------------------------------------------------------------- +Fri Nov 7 14:39:10 CET 2008 - lnussel@suse.de + +- add newrole from policycoreutils (bnc#440596) + +------------------------------------------------------------------- +Thu Oct 23 09:23:59 CEST 2008 - lnussel@suse.de + +- add udev device files (bnc#438039) +- add system crash dump directory (bnc#438041) +- add bind chroot devices (bnc#438045) + +------------------------------------------------------------------- +Mon Oct 20 17:05:30 CEST 2008 - lnussel@suse.de + +- dbus-daemon-launch-helper neeeds to be setuid in level secure + (bnc#435776) + +------------------------------------------------------------------- +Thu Sep 25 15:38:39 CEST 2008 - lnussel@suse.de + +- change /var/games to 755 to prevent ill-considered maneuvers there + (bnc#429882) + +------------------------------------------------------------------- +Thu Sep 11 17:03:04 CEST 2008 - lnussel@suse.de + +- remove static smpppd config file permissions +- fix permissions of polkit-set-default-helper +- grant permissions to PolicyKit helpers also in level secure + +------------------------------------------------------------------- +Tue Jul 15 11:40:22 CEST 2008 - lnussel@suse.de + +- ensure correct permissions on ssh files to avoid sshd refusing + logins (bnc#398250) + +------------------------------------------------------------------- +Thu Jul 3 11:33:29 CEST 2008 - lnussel@suse.de + +- adapt permissions of lppasswd for current cups setup (bnc#406058) + +------------------------------------------------------------------- +Mon Jun 2 11:46:30 CEST 2008 - lnussel@suse.de + +- add mount.nfs due to an ever increasing number of users + hit by the regression (bnc#331020, bnc#304318) + +------------------------------------------------------------------- +Wed May 7 15:18:04 CEST 2008 - lnussel@suse.de + +- zypp-checkpatches-wrapper -> zypp-refresh-wrapper (bnc#385207) + +------------------------------------------------------------------- +Mon Apr 21 16:03:22 CEST 2008 - lnussel@suse.de + +- /dev/full should be 0666 (bnc#379545) + +------------------------------------------------------------------- +Thu Apr 17 09:45:03 CEST 2008 - lnussel@suse.de + +- update chkstat manpage and support '--' argument for chkstat + (bnc#57438) + +------------------------------------------------------------------- +Wed Mar 12 13:09:51 CET 2008 - lnussel@suse.de + +- new PolicyKit permissions (bnc#295341) +- remove obsolete entries for scmxx and zapping + +------------------------------------------------------------------- +Mon Jan 7 12:24:47 CET 2008 - lnussel@suse.de + +- remove setuid bits on man (#351988) + +------------------------------------------------------------------- +Mon Dec 3 15:46:50 CET 2007 - lnussel@suse.de + +- add dbus-daemon-launch-helper (#333361) + +------------------------------------------------------------------- +Fri Nov 2 23:11:57 CET 2007 - dmueller@suse.de + +- kcheckpass/kdesud moved to %_libdir/kde4/libexec + +------------------------------------------------------------------- +Wed Oct 17 16:09:03 CEST 2007 - lnussel@suse.de + +- remove bing (#306626) + +------------------------------------------------------------------- +Fri Oct 12 13:30:57 CEST 2007 - lnussel@suse.de + +- remove suexec2 (#263789) + +------------------------------------------------------------------- +Fri Aug 10 21:02:03 CEST 2007 - aj@suse.de + +- Readd nscd socket permissions, otherwise glibc build will fail. + +------------------------------------------------------------------- +Fri Aug 10 09:23:16 CEST 2007 - lnussel@suse.de + +- add PolicyKit helpers (#295341) + +------------------------------------------------------------------- +Wed Aug 8 11:11:43 CEST 2007 - lnussel@suse.de + +- remove nscd socket permission handling as chkstat refuses to touch + that file anyways (#298334). + +------------------------------------------------------------------- +Tue Jun 12 15:22:22 CEST 2007 - schwab@suse.de + +- permissions.local: Fix comment to use uid:gid instead of uid.gid. + +------------------------------------------------------------------- +Fri Jun 1 15:44:55 CEST 2007 - lnussel@suse.de + +- package /etc/permissions.local + +------------------------------------------------------------------- +Wed May 30 10:47:52 CEST 2007 - lnussel@suse.de + +- add /usr/bin/kcheckpass and /usr/bin/kdesud (#276502) + +------------------------------------------------------------------- +Wed Apr 18 18:23:19 CEST 2007 - dmueller@suse.de + +- create debuginfo package (#265667) + +------------------------------------------------------------------- +Thu Feb 22 17:50:27 CET 2007 - lnussel@suse.de + +- prefer package specific permissions files over central ones + (#246252) + +------------------------------------------------------------------- +Thu Feb 22 16:51:06 CET 2007 - lnussel@suse.de + +- add /opt/kde3/bin/start_kdeinit (#203535) +- remove entries for dropped packages OpenPBS and xtetris + +------------------------------------------------------------------- +Wed Jan 17 13:53:28 CET 2007 - lnussel@suse.de + +- make pam authentication helpers unix_chkpwd, unix2_chkpwd and + pam_auth setuid root instead of setgid shadow (#216816) + +------------------------------------------------------------------- +Wed Jan 10 15:12:53 CET 2007 - sbrabec@suse.cz + +- Prefix of /opt/gnome binaries changed to /usr. +- Removed gnome-stones. + +------------------------------------------------------------------- +Mon Nov 13 11:40:32 CET 2006 - lnussel@suse.de + +- remove khc_indexbuilder (#188192) + +------------------------------------------------------------------- +Mon Oct 16 16:08:06 CEST 2006 - lnussel@suse.de + +- add zypp patch checking helper (#211286) + +------------------------------------------------------------------- +Wed Aug 23 09:59:37 CEST 2006 - lnussel@suse.de + +- /usr/X11R6 -> /usr +- remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud + +------------------------------------------------------------------- +Thu Aug 17 14:27:17 CEST 2006 - cthiel@suse.de + +- change paths for v4l-conf from /usr/X11R6/bin to /usr/bin + +------------------------------------------------------------------- +Thu Jul 20 16:32:35 CEST 2006 - sndirsch@suse.de + +- Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of + xorg-x11-server package + +------------------------------------------------------------------- +Tue Jun 27 08:21:00 CEST 2006 - lnussel@suse.de + +- remove setuid bit on gpg (#137562) + +------------------------------------------------------------------- +Fri May 19 15:48:04 CEST 2006 - lnussel@suse.de + +- add get_printing_ticket in order to enable smb printing with + kerberos authentication (#177114) + +------------------------------------------------------------------- +Wed May 17 11:42:30 CEST 2006 - lnussel@suse.de + +- add setuid bit to gnomesu-pam-backend in level secure (#175616) + +------------------------------------------------------------------- +Thu Feb 23 18:27:24 CET 2006 - schwab@suse.de + +- /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader. + +------------------------------------------------------------------- +Wed Jan 25 21:30:49 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 16 13:57:03 CET 2006 - meissner@suse.de + +- removed pmount, pumount. +- moved pmpost to /usr/lib/pcp/pmpost. + +------------------------------------------------------------------- +Thu Dec 15 16:06:44 CET 2005 - lnussel@suse.de + +- /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset + +------------------------------------------------------------------- +Fri Dec 9 19:57:11 CET 2005 - meissner@suse.de + +- temporary only setuid bit for pmount and pumount. #135792 + +------------------------------------------------------------------- +Wed Nov 23 09:22:05 CET 2005 - lnussel@suse.de + +- add /usr/bin/fusermount (#133657) + +------------------------------------------------------------------- +Mon Nov 21 09:32:56 CET 2005 - lnussel@suse.de + +- remove Xwrapper, it's a symlink nowadays (#134611) + +------------------------------------------------------------------- +Wed Nov 2 22:31:11 CET 2005 - dmueller@suse.de + +- don't build as root + +------------------------------------------------------------------- +Thu Oct 13 13:22:49 CEST 2005 - meissner@suse.de + +- nici moved to /var/opt/novell/... + +------------------------------------------------------------------- +Tue Oct 11 17:34:40 CEST 2005 - meissner@suse.de + +- Temporary added setuid binary from "nici" (Novell I? Crypto Interface), + bug #127545. + +------------------------------------------------------------------- +Fri Sep 30 13:28:00 CEST 2005 - lnussel@suse.de + +- add slashes to several directories (#103186) +- change /var/games to games:games 775 again (#103186) + +------------------------------------------------------------------- +Tue Aug 30 09:23:08 CEST 2005 - lnussel@suse.de + +- remove kpopup helper (#100132) + +------------------------------------------------------------------- +Thu Aug 25 15:17:57 CEST 2005 - lnussel@suse.de + +- add /opt/gnome/sbin/change-passwd (#104993) + +------------------------------------------------------------------- +Thu Aug 11 11:01:36 CEST 2005 - lnussel@suse.de + +- remove xmcd (#104040) +- add suexec2 from apache2 (#66304) +- add exim (#66306) + +------------------------------------------------------------------- +Thu Aug 11 08:55:45 CEST 2005 - lnussel@suse.de + +- remove /opt/gnome/bin/iagno (#103844) + +------------------------------------------------------------------- +Wed Aug 10 17:34:36 CEST 2005 - lnussel@suse.de + +- remove xbl (#103762) +- clean up bsd games list (#103785) +- remove score files as they are the same in all levels anyways + +------------------------------------------------------------------- +Wed Aug 10 10:53:31 CEST 2005 - lnussel@suse.de + +- change /var/games{,/xsok} to root:root (#103186) + +------------------------------------------------------------------- +Fri Aug 5 08:38:22 CEST 2005 - lnussel@suse.de + +- /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750) + +------------------------------------------------------------------- +Tue Aug 2 16:00:09 CEST 2005 - lnussel@suse.de + +- remove kde games again. Turned out they don't work as intended. + +------------------------------------------------------------------- +Tue Aug 2 11:59:41 CEST 2005 - lnussel@suse.de + +- cardctl -> pccardctl (#100120) + +------------------------------------------------------------------- +Fri Jul 22 10:34:32 CEST 2005 - lnussel@suse.de + +- add setgid games to some kde games + +------------------------------------------------------------------- +Wed Jun 8 14:36:57 CEST 2005 - lnussel@suse.de + +- use correct gnomesu-pam-backend path + +------------------------------------------------------------------- +Tue Jun 7 10:01:22 CEST 2005 - lnussel@suse.de + +- add gnomesu-pam-backend (#75823) +- add lppasswd (#66305) +- make ntping 4750 root:trusted also in easy (#66211) +- add cl_status from heartbeat (#66310) +- remove unused /opt/gnome/sbin/change-passwd + +------------------------------------------------------------------- +Tue May 17 00:29:21 CEST 2005 - ro@suse.de + +- added /opt/gnome/sbin/change-passwd + +------------------------------------------------------------------- +Mon Apr 25 16:45:30 CEST 2005 - lnussel@suse.de + +- add OpenPBS permissions (#66320) + +------------------------------------------------------------------- +Tue Mar 1 16:14:48 CET 2005 - lnussel@suse.de + +- fix inn permissions (#67032) +- remove setuid bit from ziptool (#66191) + +------------------------------------------------------------------- +Wed Feb 23 11:53:33 CET 2005 - lnussel@suse.de + +- remove no longer existing files +- remove setuid plpnfsd (#66207) +- remove setuid bit from dga program +- change vmware permissions +- add /opt/kde3/bin/receivepopup (#66313) +- add /opt/kde3/bin/fileshareset (#66312) +- add /usr/bin/scmxx (#66309) +- add some missing mailman files (#66315) +- include perl script to perform some basic consistency checks + +------------------------------------------------------------------- +Mon Jan 31 16:32:14 CET 2005 - meissner@suse.de + +- backported security fix from SLES 9 branch. #43035 + +------------------------------------------------------------------- +Sat Jan 15 20:40:04 CET 2005 - schwab@suse.de + +- Comment fixes. + +------------------------------------------------------------------- +Mon Nov 22 21:02:36 CET 2004 - sndirsch@suse.de + +- permissions.secure: set Xorg to 0711 (4711 before) + +------------------------------------------------------------------- +Wed Nov 10 15:07:02 CET 2004 - ro@suse.de + +- /var/cache/fonts to 1777 (as in tetex perms before) + +------------------------------------------------------------------- +Mon Nov 8 14:37:25 CET 2004 - kukuk@suse.de + +- Add nscd socket to permissions file + +------------------------------------------------------------------- +Tue Sep 14 18:50:46 CEST 2004 - ro@suse.de + +- do not use rpm in SuSEconfig.permissions (#45252) + +------------------------------------------------------------------- +Tue Sep 14 17:21:40 CEST 2004 - ro@suse.de + +- dropped check for perl in SuSEconfig.permissions (#45252) + +------------------------------------------------------------------- +Wed May 26 12:34:57 MEST 2004 - draht@suse.de + +- /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234) + source code audit in progress (#40234) (thomas) + +------------------------------------------------------------------- +Fri May 14 15:26:23 CEST 2004 - ro@suse.de + +- /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid + (0755,0755,0755) (#40234) + +------------------------------------------------------------------- +Thu Apr 15 14:16:03 CEST 2004 - sndirsch@suse.de + +- XFree86 --> Xorg in permissions files + +------------------------------------------------------------------- +Tue Apr 6 12:45:32 CEST 2004 - mls@suse.de + +- added --root option for buildroot operation + +------------------------------------------------------------------- +Mon Apr 5 15:27:52 CEST 2004 - mls@suse.de + +- chkstat: fixed relative symlink chasing +- /usr/src/packages/RPMS back to 1777 in easy, as chkstat can + now handle it + +------------------------------------------------------------------- +Sun Apr 4 21:30:02 CEST 2004 - mls@suse.de + +- chkstat: added missing link count check and safepath() function +- chkstat: refuse to give away s-bits on insecure paths +- chkstat: bugfix: stat file again after chown, as modes may have + changed + +------------------------------------------------------------------- +Fri Apr 2 17:44:08 CEST 2004 - mls@suse.de + +- chkstat: re-implemented it in C to make it more secure + +------------------------------------------------------------------- +Thu Apr 1 10:17:00 CEST 2004 - kukuk@suse.de + +- Remove /var/lock/subsys [#37759] +- Add sticky bit to /var/lock [#37759] + +------------------------------------------------------------------- +Wed Mar 24 01:13:41 MET 2004 - draht@suse.de + +- make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid. + #33570. + +------------------------------------------------------------------- +Tue Mar 23 19:06:18 MET 2004 - draht@suse.de + +- #36741: /usr/src/packages/RPMS 1777->0755 in easy. + +------------------------------------------------------------------- +Mon Mar 22 15:28:59 CET 2004 - kukuk@suse.de + +- Fix syntax error in permission.easy +- /usr/bin/ssh should be always 0755 + +------------------------------------------------------------------- +Fri Feb 13 12:09:14 MET 2004 - draht@suse.de + +- /var/run/uscreens (root:root 1777) added + +------------------------------------------------------------------- +Thu Feb 12 14:18:55 CET 2004 - kukuk@suse.de + +- Don't modify group of crontab and at useless + +------------------------------------------------------------------- +Fri Jan 9 23:17:42 CET 2004 - kukuk@suse.de + +- Add RPM directory for hppa2.0 + +------------------------------------------------------------------- +Fri Nov 21 01:02:32 CET 2003 - ro@suse.de + +- fpexec decrease go rights to 11 + +------------------------------------------------------------------- +Wed Nov 5 00:12:41 CET 2003 - ro@suse.de + +- inn scripts: u-w (not needed) + +------------------------------------------------------------------- +Mon Nov 3 13:08:38 CET 2003 - schwab@suse.de + +- chkstat: fix option parsing. + +------------------------------------------------------------------- +Wed Oct 29 09:18:20 CET 2003 - kukuk@suse.de + +- Sync permissions for shadow package + +------------------------------------------------------------------- +Tue Oct 28 16:24:10 CET 2003 - ro@suse.de + +- require /sbin/SuSEconfig + +------------------------------------------------------------------- +Tue Oct 28 16:06:42 CET 2003 - ro@suse.de + +- chkstat: added some new extensions: + allow specifying singular files or a filelist to be checked + output previous/current mode of a failed file + adapted manpage + +------------------------------------------------------------------- +Tue Oct 21 19:40:33 MEST 2003 - draht@suse.de + +- permissions.secure: /etc/ftpusers 0640 root.root -> 0644 + +------------------------------------------------------------------- +Mon Oct 20 18:07:29 CEST 2003 - ro@suse.de + +- permissions.*: use ":" and not "." to separate user/group +- chkstat: output also which of (permissions/owner) is wrong +- chkstat: don't try to chown if not root + +------------------------------------------------------------------- +Tue Oct 14 16:06:06 MEST 2003 - draht@suse.de + +- reformatting of all 4 permissions files. xkobo, rocksndiamonds, + xlogical, lbreakout2 and ltris path adoptions. + for future reference: :-) + for i in permissions permissions.easy permissions.secure + permissions.paranoid; do cat $i | \ + awk '/^(#|$)/ { print $0; next; } + { if(NF > 3) {printf("error: %s\n",$0);exit}; + printf("%-55s %-17s %4s\n",$1,$2,$3)}' \ + > $i.. && mv $i.. $i; done + +------------------------------------------------------------------- +Thu Sep 18 16:05:54 CEST 2003 - kukuk@suse.de + +- Fix group of straps, popauth and ntping +- Remove some GNOME games which do not need special rights anymore + +------------------------------------------------------------------- +Tue Sep 16 22:34:41 CEST 2003 - kukuk@suse.de + +- permissions.easy: change group of bing, vboxbeep, plpnfsd to + trusted, majordomo/wrapper to daemon + +------------------------------------------------------------------- +Tue Sep 16 11:39:04 CEST 2003 - kukuk@suse.de + +- permissions.easy: change group of gpasswd and ziptool to trusted + +------------------------------------------------------------------- +Tue Sep 2 17:11:52 CEST 2003 - kkeil@suse.de + +- fix user fax for hylafax specific files + +------------------------------------------------------------------- +Tue Sep 2 08:47:35 CEST 2003 - kukuk@suse.de + +- fix path to cons.saver, remove setuid bit in paranoid (#25907) +- remove screen +- remove smail (dropped years ago) + +------------------------------------------------------------------- +Mon Sep 1 18:26:32 CEST 2003 - kkeil@suse.de + +- fix group for isdnctrl uucp --> dialout (#28997) + +------------------------------------------------------------------- +Mon Sep 1 15:06:09 MEST 2003 - draht@suse.de + +- feedback@suse.de -> http://www.suse.de/feedback in all files of + the package. #29635. + +------------------------------------------------------------------- +Sat Aug 23 15:54:13 CEST 2003 - sndirsch@suse.de + +- added martian entries of package pachi + +------------------------------------------------------------------- +Tue Aug 19 11:48:29 CEST 2003 - mmj@suse.de + +- Add sysconfig metadata [#28937] + +------------------------------------------------------------------- +Tue Jul 29 19:12:03 MEST 2003 - draht@suse.de + +- fax changes from Tomas Crhak: faxq-helper and spool directories. + +------------------------------------------------------------------- +Tue Jul 29 14:08:49 CEST 2003 - ro@suse.de + +- gnome games moved back to /opt/gnome + +------------------------------------------------------------------- +Mon Jul 28 16:56:27 CEST 2003 - kukuk@suse.de + +- Remove /var/run from permissions file list [Bug #28289] + +------------------------------------------------------------------- +Mon Jul 28 08:47:31 CEST 2003 - kukuk@suse.de + +- /var/lib/gdm: Removed to solve [Bug #28257] for future products. + +------------------------------------------------------------------- +Fri Jul 25 15:28:10 MEST 2003 - draht@suse.de + +- /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper + The same with /opt/gnome/lib64/. + +------------------------------------------------------------------- +Fri Jun 13 09:11:40 CEST 2003 - kukuk@suse.de + +- /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure + +------------------------------------------------------------------- +Fri May 2 11:42:47 CEST 2003 - sndirsch@suse.de + +- added /usr/games/pachi and /var/games/pachi.scores + +------------------------------------------------------------------- +Mon Mar 10 15:46:45 CET 2003 - sndirsch@suse.de + +- added /usr/games/falconseye.bin +- removed /usr/games/falconseye + +------------------------------------------------------------------- +Mon Mar 10 10:45:30 CET 2003 - kukuk@suse.de + +- added /usr/lib64/vte/gnome-pty-helper until ported to utempter + +------------------------------------------------------------------- +Sun Mar 9 01:15:10 CET 2003 - sndirsch@suse.de + +- added /usr/games/falconseye +- removed old falconseye entries + +------------------------------------------------------------------- +Thu Mar 6 23:58:24 CET 2003 - ro@suse.de + +- added /usr/lib/vte/gnome-pty-helper until ported to utempter + +------------------------------------------------------------------- +Thu Feb 20 11:22:35 CET 2003 - mmj@suse.de + +- Add sysconfig metadata [#22686] + +------------------------------------------------------------------- +Tue Feb 18 16:38:12 CET 2003 - kssingvo@suse.de + +- removed squid entries. They will be added and corrected to squids own + permission file /etc/permissions.d/squid (bugzilla#23752): + /var/squid + /var/squid/cache + /var/squid/logs + +------------------------------------------------------------------- +Tue Feb 18 02:55:30 MET 2003 - draht@suse.de + +- /usr/games/trackballs added 2755 games.games in easy. + +------------------------------------------------------------------- +Sun Feb 16 17:19:29 CET 2003 - adrian@suse.de + +- allow khc_indexbuilder to write into /var/cache/susehelp in easy mode +- remove old entries (kreatecd and kscd) + +------------------------------------------------------------------- +Mon Feb 10 01:37:01 MET 2003 - draht@suse.de + +- additions/changes (from #17012, Tobias Burnus): + * read all files from the commandline at once and override + entries given multiple times by the last entry + * enable option --set in addition to -set + * manpage adoptions + * call chkstat only once from SuSEconfig.permissions + +------------------------------------------------------------------- +Thu Feb 6 01:52:49 CET 2003 - ro@suse.de + +- /var/mtrack -> /var/lib/mtrack + +------------------------------------------------------------------- +Tue Nov 19 15:16:41 CET 2002 - ro@suse.de + +- zapping_setup_fb moved to /opt/gnome/sbin + +------------------------------------------------------------------- +Thu Nov 14 13:44:56 CET 2002 - bg@suse.de + +- added hppa to rpm subsystem in permissions files to be able to + finish autobuild + +------------------------------------------------------------------- +Thu Oct 24 13:50:20 CEST 2002 - ro@suse.de + +- two more nethack flavors with sgid games in easy + +------------------------------------------------------------------- +Tue Sep 10 17:40:44 MEST 2002 - draht@suse.de + +- cda entries below /usr/X11R6/lib/X11/xmcd removed. + index.html under /var/lib/xmcd/discog directories added + world-writeable. This is not satisfactory. New user xmcd will be + added in next release. + +------------------------------------------------------------------- +Thu Sep 5 18:43:44 MEST 2002 - draht@suse.de + +- /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added. + +------------------------------------------------------------------- +Mon Aug 26 17:22:29 MEST 2002 - draht@suse.de + +- removed all occurrences of kv4lsetup upon request by adrian+uli. +- -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132) +- /usr/src/packages/RPMS/alphaev67 added. +- added /sbin/unix2_chkpwd root.shadow 2755 +- -s /usr/sbin/papd (#18103) + +------------------------------------------------------------------- +Wed Aug 21 16:29:43 MEST 2002 - draht@suse.de + +- removed suid bits from heimdal's su and otp (#18104) + +------------------------------------------------------------------- +Wed Aug 21 16:13:29 MEST 2002 - draht@suse.de + +- remove setuid bit from traceroute due to new implementation by + Olaf Kirch which doesn't need euid root. (#18101) + +------------------------------------------------------------------- +Wed Aug 21 14:16:47 MEST 2002 - draht@suse.de + +- removed lprng entries because of conflicts cups <-> lprng + +------------------------------------------------------------------- +Wed Aug 21 14:14:05 MEST 2002 - draht@suse.de + +- vboxbeep -> 0755 in secure. + +------------------------------------------------------------------- +Mon Aug 19 15:27:09 CEST 2002 - ro@suse.de + +- added prereq (#17956) + +------------------------------------------------------------------- +Mon Aug 19 13:45:43 CEST 2002 - uli@suse.de + +- added nethack for lib64 archs + +------------------------------------------------------------------- +Mon Aug 19 12:32:56 CEST 2002 - uli@suse.de + +- added xmcd for archs != i386 + +------------------------------------------------------------------- +Tue Aug 13 13:48:05 MEST 2002 - draht@suse.de + +- gnome-games2 entries changed/adopted to /opt/gnome2 path. + +------------------------------------------------------------------- +Tue Aug 13 13:30:30 CEST 2002 - draht@suse.de + +- changed kcheckpass from 2755 root.shadow to 4755. (#17664) + +------------------------------------------------------------------- +Wed Jul 31 07:55:06 CEST 2002 - olh@suse.de + +- ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750 + +------------------------------------------------------------------- +Sat Jul 27 13:19:26 CEST 2002 - kukuk@suse.de + +- Rename group wwwadmin to www +- Rename group game to games + +------------------------------------------------------------------- +Tue Jul 23 12:54:24 MEST 2002 - draht@suse.de + +- added sapdb files, not setuid root in secure,paranoid. + +------------------------------------------------------------------- +Mon Jul 22 18:26:43 MEST 2002 - draht@suse.de + +- added frontpage files + +------------------------------------------------------------------- +Tue Jul 16 15:18:14 MEST 2002 - draht@suse.de + +- changed entries for mailman: group mdom -> mailman + +------------------------------------------------------------------- +Tue Jul 16 03:51:29 MEST 2002 - draht@suse.de + +- mailman sgid mdom files added to easy, secure and paranoid. + +------------------------------------------------------------------- +Wed Jul 10 14:33:50 MEST 2002 - draht@suse.de + +- .paranoid comment fixed about at and cron (#12159) + +------------------------------------------------------------------- +Mon Jul 8 17:24:21 MEST 2002 - draht@suse.de + +- ppp dialup networking fixes and cleanup. + +------------------------------------------------------------------- +Mon Jul 8 15:56:23 MEST 2002 - draht@suse.de + +- modifications: -s for pppd, world-writeable directories for + kdemultimedia3-sound, gift, mips and armv4l RPMS directory. + +------------------------------------------------------------------- +Fri Jul 5 21:13:08 CEST 2002 - kukuk@suse.de + +- Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid. + +------------------------------------------------------------------- +Thu Jul 4 16:26:47 MEST 2002 - draht@suse.de + +- /usr/lib64/pt_chown added to easy,secure,paranoid. + +------------------------------------------------------------------- +Mon Jul 1 19:56:10 MEST 2002 - draht@suse.de + +- entries for packages added or changed: + squid + geki2 + d1x + falconseye + fdutils + gewels + gnome-games + heimdal + lbreakout + lpdfilter + lprng + man + mgetty (/var/spool/fax/outgoing/* need discussion) + mtrack (locfile+satfile -> 0644) + nethack + nvi-m17n (/var/preserve/vi.recover -> 1777) + opie (/bin -> /usr/bin) + pcp + plptools + qpopper + rp-pppoe (/usr/sbin/pppoe-wrapper) + smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750) + squid (/usr/sbin/pam_auth) + su-wrapper + xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs) + xgalaga + xmcd + xscrabble + +------------------------------------------------------------------- +Mon Jul 1 01:01:10 CEST 2002 - ro@suse.de + +- don't install all sources (spec file etc.) + +------------------------------------------------------------------- +Fri Jun 28 14:40:07 MEST 2002 - draht@suse.de + +- minor spec file change + +------------------------------------------------------------------- +Fri Jun 28 12:56:43 MEST 2002 - draht@suse.de + +- entries for packages added: + ftpdir + gnokii + kamplus + geki2 + aaa_dir (/tmp/.ICE-unix) + +------------------------------------------------------------------- +Fri Jun 28 12:56:18 MEST 2002 - draht@suse.de + +- unpack tar archive in source for convenience. + +------------------------------------------------------------------- +Thu Jun 27 23:05:51 CEST 2002 - olh@suse.de + +- update permissions of /usr/src/packages/RPMS/ + +------------------------------------------------------------------- +Fri Jun 21 02:10:26 CEST 2002 - ro@suse.de + +- created package as split off from aaa_base + diff --git a/permissions.rpmlintrc b/permissions.rpmlintrc new file mode 100644 index 0000000..1c537e8 --- /dev/null +++ b/permissions.rpmlintrc @@ -0,0 +1,5 @@ +# the base package needs to have Arch, otherwise we get no -source and +# -debuginfo package (which we need for the chkstat sub package) +addFilter("no-binary") +# it's hard not to repeat "permissions" in the summary +addFilter("name-repeated-in-summary") diff --git a/permissions.spec b/permissions.spec new file mode 100644 index 0000000..78a0198 --- /dev/null +++ b/permissions.spec @@ -0,0 +1,142 @@ +# +# spec file for package permissions +# +# Copyright (c) 2025 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: permissions +Version: 1699_20250120 +Release: 0 +Summary: SUSE Linux Default Permissions +# Maintained in github by the security team. +License: GPL-2.0-or-later +Group: Productivity/Security +URL: http://github.com/openSUSE/permissions +Source: permissions-%{version}.tar.xz +Source2: permissions.rpmlintrc +BuildRequires: gcc-c++ +BuildRequires: libacl-devel +BuildRequires: libcap-devel +BuildRequires: libcap-progs +BuildRequires: meson +BuildRequires: python-rpm-macros +BuildRequires: tclap +# test suite +BuildRequires: python3-base +BuildRequires: acl +BuildRequires: system-user-bin +BuildRequires: system-user-nobody +Requires: permctl +Requires: permissions-config +Provides: aaa_base:%{_datadir}/permissions + +%prep +%autosetup + +%build +%meson +%meson_build + +%install +%meson_install +# Fix shebang in scripts: Remove dependency on /usr/bin/python3, +# making scripts to depends on the real python3 binary, not the link. +# (bsc#1212476) +for f in %{buildroot}/usr/lib/zypp/plugins/commit/* +do + [ -f $f ] && sed -i "1s@#\!.*python.*@#\!$(realpath %__python3)@" $f +done + +%check +# will fail on qemu with unshare: unshare failed: Invalid argument +#%%if !0%{?qemu_user_space_build} +#%tests/regtest.py --skip-build %_vpath_builddir >/dev/null +#%%endif + +%description +File and directory permission settings depending on the local security +settings. The local security setting ("easy", "secure", or "paranoid") can be +configured in /etc/sysconfig/security. + +This package does not contain files, it just requires the necessary packages. + +%files + +%package config +Summary: SUSE Linux Default Permissions config files +Group: Productivity/Security +Requires(post): %fillup_prereq +Requires(post): permctl +#!BuildIgnore: group(trusted) +Requires(pre): group(trusted) +Obsoletes: permissions-doc <= %{version} +BuildArch: noarch + +%description config +The actual permissions configuration files, /usr/share/permissions/permission.*. + +%files config +%defattr(644, root, root, 755) +%dir %{_datadir}/permissions +%dir %{_datadir}/permissions/permissions.d +%{_datadir}/permissions/permissions +%{_datadir}/permissions/permissions.easy +%{_datadir}/permissions/permissions.secure +%{_datadir}/permissions/permissions.paranoid +%{_datadir}/permissions/variables.conf +%config(noreplace) %{_sysconfdir}/permissions.local +%{_fillupdir}/sysconfig.security +%{_mandir}/man5/permissions.5%{ext_man} + +%post config +%{fillup_only -n security} +# apply all potentially changed permissions +%{_bindir}/permctl --system || : + +%package -n permctl +Summary: SUSE Linux Default Permissions tool +Group: Productivity/Security +Provides: chkstat = %version-%release +Obsoletes: chkstat < %version-%release + +%description -n permctl +Tool to check and set file permissions. + +%files -n permctl +%{_bindir}/chkstat +%{_bindir}/permctl +%{_mandir}/man8/permctl.8%{ext_man} +%{_rpmconfigdir}/macros.d/macros.* + +%package -n permissions-zypp-plugin +BuildArch: noarch +Requires: permissions = %{version} +Requires: python3-zypp-plugin +Requires: libzypp(plugin:commit) = 1 +Summary: A zypper commit plugin for calling permctl +Group: Productivity/Security + +%description -n permissions-zypp-plugin +This package contains a plugin for zypper that calls `permctl --system` after +new packages have been installed. This is helpful for maintaining custom +entries in /etc/permissions.local. + +%files -n permissions-zypp-plugin +%dir /usr/lib/zypp +%dir /usr/lib/zypp/plugins +%dir /usr/lib/zypp/plugins/commit +/usr/lib/zypp/plugins/commit/permissions.py + +%changelog